Previous: , Up: Forbidden   [Contents][Index]

3.8.3 Forbidden Tunnels

Polipo does by default allow tunnelled connections (see Tunnelling connections), however sometimes it is desirable to block connections selectively.

Because polipo does only pass through tunnelled connections filtering is possible based on hostname and port information only. Filtering based on protocol specific types of information like pathname is not possible.

Obviously the web browser (and other software) must be configured to use polipo as tunneling proxy for this to work. The tunnelled traffic is neither touched nor inspected in any way by polipo, thus encryption, certification and all other security and integrity guarantees implemented in the browser are not in any way affected.

The file pointed at by the variable forbiddenTunnelsFile (defaults to ~/.polipo-forbiddenTunnels or /etc/polipo/forbiddenTunnels, whichever exists) specifies the set of tunnel specifications that should be blocked.

Every line in a file listing forbidden Tunnels can either be a domain name — a string that doesn’t contain any of ‘/’, ‘*’ or ‘\’ —, or a POSIX extended regular expression. Blank lines are ignored, as are those that start with a hash sign ‘#’.

Entries in the form of regular expressions will be matched against tunnel reqeusts of the form hostname:portnumber.

Tunnelled and blocked connections will be logged if the configuration variable logLevel is set to a value such that ((logLevel & 0x80) !=0)

Example forbiddenTunnelsFile :

# simple case, exact match of hostnames

# match hostname against regexp

# match hostname and port against regexp
# this will block tunnels to but also
# for ports in the range 600-999
# Also watch for effects of 'tunnelAllowedPorts'\:[6-9][0-9][0-9]

# random examples

Previous: , Up: Forbidden   [Contents][Index]