********************************************************************************************
********************************************************************************************
********************************************************************************************
This is our old tutorial. To read the new tutorial, click NEW TUTORIAL
********************************************************************************************
********************************************************************************************
NxFilter Tutorial
1. Getting started
- System requirements
- Install NxFilter on Windows
- Install NxFilter on Ubuntu Linux
- Updating NxFilter
- Start and stop NxFilter
- Client DNS setup
3. Blacklist and domain categorization
4. Authentication
- Install NxFilter on Windows
- Install NxFilter on Ubuntu Linux
- Updating NxFilter
- Start and stop NxFilter
- Client DNS setup
- NxFilter and authentication
- Single sign-on with Active Directory using NxMapper
- The order of authentication methods
5. GUI overview
- Single sign-on with Active Directory using NxMapper
- The order of authentication methods
- GUI - Config
- GUI - DNS
- GUI - User & Group
- GUI - Policy & Rule
- GUI - Category
- GUI - Whitelist
12. FAQ
- GUI - DNS
- GUI - User & Group
- GUI - Policy & Rule
- GUI - Category
- GUI - Whitelist
- I can bypass NxFilter by accessing websites using IP address.
- It doesn't get blocked/unblocked right away.
- How do I force a user to be filtered by NxFilter?
- How NxFilter determine which policy to apply for a user?
- What is the quickest way of blocking 'facebook.com'?
- I want to block 'facebook.com' only for students.
- I want to allow sales department to use the Internet freely at lunchtime.
- How do I reset admin password?
- How do I enable debug mode?
- I don't see any username on 'Logging > Request'.
- How do I restrict porn on Google, Youtube search result?
- It doesn't get blocked/unblocked right away.
- How do I force a user to be filtered by NxFilter?
- How NxFilter determine which policy to apply for a user?
- What is the quickest way of blocking 'facebook.com'?
- I want to block 'facebook.com' only for students.
- I want to allow sales department to use the Internet freely at lunchtime.
- How do I reset admin password?
- How do I enable debug mode?
- I don't see any username on 'Logging > Request'.
- How do I restrict porn on Google, Youtube search result?
System requirements
- Windows, Linux, FreeBSD or other OS having Java(JRE) 1.7 or higher installed.- 768 MB RAM.
- 4 GB of free disk space.
- UDP/53, TCP/80, TCP/443 ports.
* You can run NxFilter with lesser hardware but we recommend you to have more than 1 GB of system memory
and 40 GB of disk space especially when you have more than 1,000 users.
* At default NxFilter uses up to 768 MB of system memory. This might not be enough for a bigger site.
To allocate more memory to NxFilter, read Performance tuning guide part of this tutorial.
- Go index -
Install NxFilter on Windows
We provide a Windows installer. When you download and run 'nxfilter-x.x.x.x.exe' you will
see the following window.
* We have a video tutorial on Youtube - View Youtube tutorial!
After you follow several steps on the installer, it will try to create a Windows service
for NxFilter. If you see the following message, you have NxFilter successfully installed.
To access its admin GUI, start your browser and type 'http://localhost/admin' into the address bar.
Or if you created a desktop icon during the installation process you can click it.
If you see a login screen like below, your NxFilter is up and running. The initial login name
and password are 'admin' and 'admin'.
- Go to index -
Install NxFilter on Ubuntu Linux
We have a 'deb' package for installing NxFilter on Ubuntu Linux.
To install it, after you install Java, download the package using 'wget', and then install it using 'dpkg'.
Then start it from the Systemd script bundled with the package.
* We have a video tutorial on Youtube - View Youtube tutorial!
* OpenJDK 9 may cause a problem with our embedded webserver. We recommend you to run NxFilter with OpenJDK 8.
sudo apt-get install openjdk-8-jre
wget http://www.nxfilter.org/download/nxfilter-4.0.2.deb
sudo dpkg -i nxfilter-4.0.2.deb
sudo systemctl enable nxfilter.service
sudo systemctl start nxfilter.service
To access its admin GUI, start your browser. If you install it on '192.168.0.100' type 'http://192.168.0.100/admin'
into the address bar of your browser. The initial admin name and password are 'admin' and 'admin'.
When you update NxFilter using a 'deb' package and if you update it to v4.0.3
use the following commands,
wget http://www.nxfilter.org/download/nxfilter-4.0.2.deb
sudo dpkg -i nxfilter-4.0.2.deb
sudo systemctl enable nxfilter.service
sudo systemctl start nxfilter.service
sudo systemctl stop nxfilter.service
sudo dpkg -i nxfilter-4.0.3.deb
sudo systemctl start nxfilter.service
To remove NxFilter,
sudo dpkg -i nxfilter-4.0.3.deb
sudo systemctl start nxfilter.service
sudo dpkg -r nxfilter
On Ubuntu 18, 'systemd-resolved' service uses UDP/53. You have to disable it before you install NxFilter.
To stop and disable it, run these commands,
sudo service systemd-resolved stop
sudo systemctl disable systemd-resolved.service
- Go to index -
sudo systemctl disable systemd-resolved.service
Updating NxFilter
We provide a Windows installer and packages for some Linux distributions for installaing and updating NxFilter. While it
is convenient, sometimes you have to do it with a 'zip' package. When you update NxFilter using
a 'zip' package,
1. Download 'nxfilter-x.x.x.zip' file.
2. Stop NxFilter.
3. Extract the zip file into the directory NxFilter installed.
4. Start NxFilter.
- Go index -
Start and stop NxFilter
There are several utility scripts for NxFilter in '/nxfilter/bin' directory.
- To start NxFilter : startup.sh
- To stop NxFilter : shutdown.sh
- To see if it is running : ping.sh
On Windows, use '.bat' files instead of '.sh' files.
- To stop NxFilter : shutdown.sh
- To see if it is running : ping.sh
* When you run it as a Windows service use 'net start NxFilter' to start
and 'net stop NxFilter' to stop.
* Use 'net start NxCloud' and 'net stop NxCloud' for NxCloud.
- Go index -
Client DNS setup
After you install NxFilter you want to monitor and filter Internet activity in your network.
To monitor and filter Internet activity you need to make NxFilter to be the only DNS server for your network.
The simplest way of setting up a DNS server for your users would be modifying the network setup
on OS level like the above. But you don't want to set up all the PC in your network one by one.
So the best way would be using DHCP server. You just need to modify DNS server address on your
DHCP server setup and then your users will be using NxFilter as their DNS server.
If you have a firewall you can force your users to use NxFilter as their DNS server by blocking outgoing
traffic on UDP/53, TCP/53 port. Now NxFilter became the only DNS server your users can use.
- Go index -
What is a blacklist?
A blacklist is a database of categorized domains. It is an essential part of a DNS filter
for blocking websites by categories. NxFilter supports several blacklists.
1. Jahaslist
Jahaslist is the default blacklist option for NxFilter. It supports dynamic classification
by NxClassifier. NxClassifier is the integrated auto-classification engine for NxFilter.
For more details about NxClassifier and Jahaslist, read NxClassifier section.
2. Cloudlist
* We ship a 30 day trial license and a free 20 user license for Jahaslist in NxFilter package. Once you install NxFilter,
you can use Jahaslist without any restriction for 30 days. After the 30 days of trial, it becomes a free
20 user license.
We outsource a third party cloud based blacklist option. It has more than 30 million domains classified already and
does dynamic classification. Since it is on cloud, you don't need to import or update anything.
3. Globlist
Globlist is a new free blacklist option since NxFiter v4.2.0.
It has more than 400,000 domains classified into 3 categories that are Ads, Phishing/Malware and Porn.
It does auto-update in the background. Globlist works on global policy level only.
- Go index -
Reclassification on blacklist
You can add domains directly into system categories. It works like the domains added into custom
categories. Even if you have the same domain classified differently in your blacklist your custom
classification overrides it. So the effect of it is immediate. No need to report it back to somewhere
and wait to see it updated.
There are two ways of reclassification. One is to add domains on 'Category > System' and the other
one is using the popup reclassification form by clicking a domain on 'Logging > Request'.
- Go index -
NxFilter and authentication
NxFilter provides several authentication methods including single sign-on with Active Directory integration.
Why authentication
When you install NxFilter first time you only have one policy and it applies to everybody
in your network. But what if you are working for a school as a systems administrator and you want to apply
a policy based on user and group. For students, a stricter policy and for teachers, a bit lenient
policy. Now you need to differentiate users. That's when you need to enable authentication.
Which authentication
NxFilter supports several ways of authentication. You can choose one of them or mix and match some of them.
1. IP based authentication
This is the simplest form of authentication. When you use a static IP address for your client PC this might be the best choice.
Just associate the IP address of the client PC to the user you create on NxFilter GUI. You also can associate an IP range
to a user.
2. Password based authentication
* Many people try to use IP based authentication without enabling authentication on 'Config > Setup'. But IP based
authentication is still a method of authentication so you must enable it first.
When you enable authentication NxFilter blocks any user trying to access the Internet with its login-page unless they
already logged-in or having IP an address associated to them. To go through the login-page your users need to enter
their password. You can set a password for each user on NxFilter GUI.
3. LDAP based authentication
If you integrate NxFilter into OpenLDAP or Active Directory, your users can go through the login-page using their LDAP
credentials. To use this feature you need to import your users from your LDAP server first.
4. Login token based authentication
NxFilter has a special concept called 'Login Token'. This is used for remote user authentication or filtering.
This login token is being created for each user when you create or import users. You use this login token to
differentiate users for remote user filtering with NxClient and NxBlock or dynamic IP update with NxUpdate.
5. Single sign-on against Active Directory
Many people want to filter their users transparently. Or you don't want to show any login prompt to your users.
NxFilter provides Active Directory integration. Once you implement it, your users don't need to go through NxFilter's
login-page and your users will be appeared on NxFilter GUI with their Active Directory username and group.
- Go index -
Single sign-on with Active Directory using NxMapper
NxMapper is a Windows service program that you can install and run on a domain controller.
It will detect user logon events and create login sessions on NxFilter.
* Before you implement single sign-on against Active Directory, you need to import users and groups first. To import users
and groups, read GUI - User.
Install and run NxMapper
We offer a Windows installer for NxMapper. It will install NxMapper as a Windows service.
After you install it, you will see its setup program running.
'Server IP' is your NxFilter IP address. When you check 'Refresh Session', it will refresh the login session
it created on NxFilter.
After you modify the config values, test your setup and then start it.
* NxMapper needs to be installed on a domain controller.
- Go to index -
* You can add multiple IP addresses separated by commas if you run a cluster of NxFilter.
The order of authentication methods
NxFilter supports multiple authentication methods. But what if a user having an associated IP also falls into an IP range which
is associated to a different user? Or what if a user passed NxFilter login-page is in an IP range which associated
to another user? To address this issue, we have a sequential order for the authentication methods.
This is the order of authentication methods.
1. Single IP association
Single IP association comes first so that you can exclude some systems from IP range association
or allow some users to login without login prompt.
2. IP session
'IP session' is a login session being created and maintained on NxFilter by its single sign-on agent
or login-page. This comes at second.
3. IP range association
When you need to allow anonymous users to access the Internet without any login process
you associate the IP range of your network to a user. But you still can differentiate
users by single IP association or the login session. So the IP range association comes at last.
- Go index -
We have 'Most specific IP range comes first' rule for ordering IP range users. If there
are overlapped IP ranges, the smaller IP range will be applied before the others.
GUI - Config
These are mostly system configuration parameters for NxFilter.
Config > Setup > Block and Authentication
- Block Redirection IP
This is the IP address of NxFilter itself. If there is a blocked DNS request, it will be redirected
to this IP address. It is supposed to be populated automatically during the installation process.
- External Redirection IP
* When you use clustering, you can add multiple block redirection IP addresses separated by commas for redundancy.
When you use a remote filtering agent, you might need to use a different 'Block Redirection IP' for the remote
filtering agent since it is outside your network. If you leave this one empty NxFilter will use
'Block Redirection IP' for redirecting the remote filtering agent.
- IPv6 Redirection IP
As of v4.0.5, NxFilter uses IPv4 over IPv6 as its IPv6 block redirection IP automatically. So normally you don't need
to set this up. But sometimes you want to override it by manual setup.
- Enable Authentication
After you enable this option, any unauthenticated user will be redirected to NxFilter's login-page.
Your users will be forced to login to use the Internet.
- Login Domain
You can access NxFilter's login-page using a domain defined here.
- Logout Domain
You can clear out a user login session using a domain defined here.
- Login Session TTL
NxFilter keeps a login session after a user login. But this login session needs to be expired eventually.
It is especially required when there is a shared PC by several users. If a user doesn't make any DNS request
for the specified amount of time defined here, his/her login session expires and the user needs to login
again.
- Disable Login Redirection
With this option enabled, NxFilter doesn't do login redirection. All the DNS packests from unauthenticated
users will be dropped. This option is for hiding your server from attackers when you deploy your server on
the Internet.
Config > Setup > Syslog
NxFilter supports Syslog exportation of its log data. You can build your own reporting system with this feature
or you can monitor all the logging in a real-time manner.
- Syslog Host
The host IP address to which you want to send Syslog data.
- Syslog Port
UDP port of target host.
- Export Blocked Only
With this option NxFilter sends the log data of blocked DNS request only.
- From Each Node
At default, Clustered NxFilter sends Syslog data only through its master node. When you enabled this option,
each node exports its own data.
- Enable Remote Logging
Enable Syslog exportation.
Config > Setup > NetFlow
NxFilter supports bandwidth control. This is possible by importing NetFlow data.To find out more, read this, Bandwidth control with NxFilter - Router IP
The IP address of a device sending NetFlow data to NxFilter.
- Listen Port
The UDP port number of NetFlow collector.
- Run Collector
Run NetFlow collector. After change this option you need to restart NxFilter.
Config > Setup > Misc
- Admin Domain
You can access the admin GUI using the domain you set up. For example, if you use 'admin.nxfilter.org'
as your admin domain you can access your admin GUI by typing 'http://admin.nxfilter.org/admin' into your
browser address bar.
- Bypass Microsoft Update
* This only works when you use NxFilter as your DNS server. Otherwise you need to register your
admin domain to your own DNS server.
You don't want to block Microsoft update with your filtering. Enabling this option means bypassing
'microsoft.com' and 'windowsupdate.com' and their subdomains.
- Logging Retention Period
If you keep your log data too long it will use your disk space a lot. You can set how
long NxFilter keeps its log data here.
- SSL Only to Admin GUI
When you want to allow only HTTPS access to the admin GUI enable this option.
Once you enable this option you will be redirected to the SSL port automatically even if you try to use HTTP.
- Auto Backup
NxFilter makes a backup file for its configuration into '/nxfilter/backup' directory on '01:00' everyday.
The name of the backup file starts with 'auto-' prefix. You can have up to 30 backups.
- Agent Policy Update Period
NxFilter provides several agent programs for application control and remote user filtering.
These agents fetch their policies periodically. You can set up the policy update period for them here.
Config > Admin
You can change admin name and password for GUI login here.
* 'Client Password' is for remote filtering agent setup. We use it to access NxBlock setup page.
* 'Report Password' is for report manager to access the logging/reporting related menus on GUI.
Config > Alert
NxFilter sends an email for recent blocking or access violation. If you want to send an alert email to 'admin @ nxfilter.org' from
'alert200 @ gmail.com' on every 15 minutes then the setup would look like the below.
- Admin Email : admin @ nxfilter.org
- SMTP Host : smtp:gmail.com
- SMTP Host : 465
- SMTP SSL : on
- SMTP User : alert200
- SMTP Password : ********
- Alert Period : Every 15 minutes
- SMTP Host : smtp:gmail.com
- SMTP Host : 465
- SMTP SSL : on
- SMTP User : alert200
- SMTP Password : ********
- Alert Period : Every 15 minutes
* When you set this up, NxFilter also sends alert emails for some system related incidents. But 'CC Recipients'
is only for recent blocking.
* You can set up the categories you want to get alerted with when a domain gets blocked.
Config > Allowed IP
NxFilter has IP based access restriction function for its DNS, GUI, login redirection. You may need to use this feature
when you put your NxFilter on a public IP address. You can make whitelist/blacklist way of ACL here.
Config > Backup
You can create and download a backup file for the current configuration of NxFilter manually.
Config > Block Page
This is the setup for custom block-page, login-page, welcome-page. When you edit your block-page you can use
the following variables populated by NxFilter for making your block-page more informative.
- #{domain} : Blocked domain
- #{reason} : Reason for block
- #{user} : Logged-in username
- #{group} : Groups of the logged-in user
- #{policy} : The applied policy
- #{category} : Categories of the blocked domain
Config > Cluster
NxFilter has a built-in clustering. You can make your NxFilter to be a master node or a slave node in a cluster.
After you change the values in cluster setup you need to restart your NxFilter to apply the new settings.
- Go index -
- #{reason} : Reason for block
- #{user} : Logged-in username
- #{group} : Groups of the logged-in user
- #{policy} : The applied policy
- #{category} : Categories of the blocked domain
GUI - DNS
NxFilter is basically a DNS server with filtering ability. This is for DNS service related settings.
DNS > Setup > DNS Setup
- Upstream DNS server
NxFilter works as a forwarding DNS server. You need to have at least one upstream DNS server.
- Upstream DNS Query Timeout
Timeout for a DNS query to your upstream DNS server.
- Response Cache Size
NxFilter has its own cache for DNS responses from its upstream server. You can adjust the cache size.
Currently the default size is 200,000 and it is enough for most cases.
- Use Persistent Cache
NxFilter can keep up to 1 million DNS responses in its DB. When you have a big enough persistent cache
you will not lose your 'Internet Connection' even if there is a nationwide DNS outage because NxFilter will work
with its persistent cache.
- Use Negative Cache
At default, NxFilter doesn't keep a negative response in its cache. With this option, NxFilter will keep a negative
response such as 'Server Failure' or 'Non-existent Domain' up to 15 minutes.
- Minimal Responses
You can send only 'Answer' records in a DNS response of NxFilter and ignore 'Additional' and 'Authority'
section for reducing DNS packet size and improving server performance.
- Minimum Cache TTL
You can reduce the number of DNS requests from your clients by setting up a minimum cache TTL value. This only applies
on A, AAAA, CNAME records.
- Block Cache TTL
The TTL value for NxFilter's block redirection response.
DNS > Setup > Local DNS
- Local DNS Server
When you have a local DNS server for resolving your local domain add its IP address
here. You can add multiple IP addresses separated by commas for redundancy.
- Local Domain
When you have a domain to bypass to your local DNS server add the domain here. You can
add multiple domains separated by commas.
- Local DNS Query Timeout
* Don't use '*' or any wildcard for a local domain. It includes its subdomains already.
Timeout for a DNS query to your local DNS server.
- Use Local DNS
Enable local DNS.
* If you set up a local DNS server, all the DNS queries for your local
domain will be bypassed from authentication, filtering and logging.
DNS > Setup > DNS Over HTTPS
- HTTPS DNS Server
NxFilter supports Cloudflare and Google HTTPS DNS servers.
- HTTPS DNS Query Timeout
Timeout for a DNS query to your HTTPS DNS server.
- Fail-safe With UDP/53
You can make NxFilter querying again using UDP/53 protocol when there's a failure with an HTTPS DNS server.
- Use HTTPS DNS
Enable HTTPS DNS.
DNS > Setup > Misc
- Drop Hostname Without Domain
When you use NxFilter or NxCloud on cloud you don't need to deal with the hostname only domains.
- Drop PTR For Private IP
Drop a reverse lookup for private IP addresses. You might need this option when you run NxFilter on cloud.
DNS > Zone File
When you use NxFilter as an authoritative DNS server you would need to set up a zone file. We use the same format
as a BIND zone file. To find out more, read
Authoritative DNS server.
DNS > Redirection
Domain to IP or domain to domain redirection is possible with NxFilter. It works like a custom DNS record.
DNS > Zone Transfer
You may need to import a DNS zone from another DNS server. Once you add a zone-transfer setup
here, NxFilter imports the DNS zone every minutes using IXFR protocol.
- Go to index -
GUI - User
You can create or import users and groups here. NxFilter supports user importation from
Active Directory and OpenLDAP.
Creating a user
There are 3 types of users you can create on NxFilter.
1. IP user
It has an associated IP address or an IP range and will be authenticated based on IP address.
2. Password user
If you set a password for a user it becomes a password user. You can use the password
on the login page of NxFilter.
3. LDAP user
When you import users from your LDAP servers or Active Directory they become
LDAP users. They can use LDAP or Active Directory user credentials on NxFilter's login page.
Properties of a user
- Password : The password for login through NxFilter's login page.- Work-time Policy : The policy to be applied when it is not in a free-time.
- Free-time Policy : The policy to be applied during a free-time. You can define a free-time on 'Policy > Free Time'.
- Expiration Date : The expiration date for a user account.
- Login Token : The token for remote user filtering or remote user authentication. It is created when a user created or imported.
- Group : You can set a group for a user if you created the user on NxFilter GUI manually.
Testing a user When you have an LDAP imported user you may have multiple groups and policies for a user. As a result, it becomes difficult to figure out which policy a user falls into. To find out which is the 'Applied Policy' for a user, use 'TEST' button on the user list. It fetches the state of a user from NxFilter in a real-time manner.
* You can use this test view to find out how much quota or bandwidth consumed by a user
or to reset quota or bandwidth for a user.
Creating a group
After you create a group on 'User > Group', you can set up a policy for the group by editing its
properties. You also can assign members to the group.
Importing users and groups from Active Directory, OpenLDAP
You can import users and groups from Active Directory on 'User > Active Directory'.
For example, if you have your Active Directory with the following setup.
- Domain controller : 192.168.0.100
- Domain : nxfilter.local
- Admin username : Administrator
Then create an Active Directory importation setup with the following details.
- Domain : nxfilter.local
- Admin username : Administrator
- Host : 192.168.0.100
- Admin : Administrator@nxfilter.local
- Password : your-password
- Base DN : cn=users,dc=nxfilter,dc=local
- Domain : nxfilter.local
After having an Active Directory importation setup, you can import users and groups with 'IMPORT' button.
You also can set up a periodical import by selecting an auto-sync interval.
- Admin : Administrator@nxfilter.local
- Password : your-password
- Base DN : cn=users,dc=nxfilter,dc=local
- Domain : nxfilter.local
* Use 'TEST' button to verify your Active Directory importation setup.
- Go to index -
GUI - Policy
You can have multiple filtering policies in your network based on user and group.
Creating a policy
When you install NxFilter, there is only one policy that is 'Default'. This policy will be applied to everybody
if you don't make any change on NxFilter setup. If you want to apply a different policy for a specific user or group,
you need to create another policy and enable authentication.
Editing a policy
After you create a policy you can modify its properties.
- Priority Points
If there are multiple policies associated to one user then the policy having
the biggest points will be applied.
- Enable Filter
If you disable this option there will be no blocking from the policy.
- Block All
Block everything on policy level.
- Block Unclassified
Block unclassified domains.
- Ad-remove
Block domains in 'Ads' category of Jahaslist with a blank block page.
- Max Domain Length
* This is useful when you want to remove embedded adverts without
showing NxFilter's block page.
There are some malwares using domain name itself as a message protocol. These domains are abnormally
long while the length of most domains are under 30 characters. You can set a limit for the length
of a domain to block these abnormal domains. To prevent having false positives NxFilter doesn't
apply 'Max Domain Length' against 100,000 well known domains.
- Block Covert Channel
Some malwares or botnets are using DNS protocol as their communication tool. They are using DNS
queries and responses to communicate with each other.
- Block Mailer Worm
Normally, you are not supposed to see MX query from your client PC. When NxFilter finds MX type query
from your client PC, it will be regarded from some malware trying to send emails.
- Allow 'A' Record Only
This is the most strict way of filtering malwares and botnets employing DNS protocol as their
communication tool. If you are an ordinary office worker you don't need to use any special
type of DNS query. With this option enabled, NxFilter allows A, AAAA, PTR, CNAME only and the other
types of DNS queries will be blocked.
- Quota
NxFilter has quota-time feature. You can allow your users to browse some websites for a certain
amount of time.
- Quota All
Apply quota to all domains including unclassified domains.
- Bandwidth Limit
You can set a policy level bandwidth consumtion limit.
- Safe-search
This feature requires to import NetFlow data from your router or firewall. To find out more, read
Bandwidth control with NxFilter.
Enforcing safe-search against Google, Bing, Youtube.
- Block-time
* At the moment, switching between 'Moderate' and 'Strict' makes difference only for Youtube.
You can set policy level block-time.
- Logging Only
Monitoring user activity without blocking them.
- Blocked Categories
You can block domains by categories.
- Quotaed Categories
If you check some categories in 'Quotaed Categories' then your users can access the websites in the
categories for the amount of time you specified with 'Quota' above. When a user consumed up his/her quota
the DNS requests for those sites will be blocked.
Define a free-time
Global free-time can be defined on 'Policy > Free Time'. If you assign a free-time policy to a user,
it will be applied during the time defined here.
* If the start-time is bigger than the end-time then it will break into
'end-time ~ 24:00' and '00:00 ~ start-time' on the same day.
* We have a group specific free-time and policy specific block-time. Make your own free-time policy based on
these options.
NxClient
NxFilter supports remote user filtering and application control by NxClient. For more details, read
NxClient and remote user filtering.
- Go to index -
GUI - Category
On NxFilter, there are system categories and custom categories. System categories are already defined
by your blacklist DB. But you can create your own custom categories. You can add domains into these
system/custom categories and block domains by these categories.
Currently, NxFilter supports several blacklist options. If you want to find out more, read
Blacklist and domain categorization.
* To include subdomains into a category use an asterisk.
ex) *.nxfilter.org
* If you want to find out which category a domain falls into, use 'Category > Domain Test'.
- Go to index -
GUI - Whitelist
This is for making a whitelist/blacklist by a domain or a keyword.
- Bypass Authentication : To allow your users to access some sites without authentication, use this option.
- Bypass Filtering : To exclude some domains from your filtering, check this option.
- Bypass Logging : When you have too many log data for a domain which you are not interested in, you can bypass logging
for the domain.
- Admin Block : To block some domains without setting up a policy, use this option. This option overrides 'Bypass Filtering'.
- Drop Packet : When you want to completely ignore and not to respond the requests for a specific domain check this option.
* You can use an asterisk to include subdomains.
ex) *.nxfilter.org
- Go to index -
FAQ
These are frequently asked questions about NxFilter.
I can bypass NxFilter by accessing websites using IP address.
There are people saying that DNS filtering is useless as they can access a website using IP address.
This is a very naive thought and simply not true. In today's Internet environment most websites are
running on a virtual host. This means there are multiple websites on one IP address. You can't access
these websites without using a domain.
And the other thing you need to think about is that there are many URLs in a webpage. This
is especially true when it comes to a big portal site. Those URLs are based on DNS as well. If
you try to access a blocked website using an IP address, you will get just a brocken webpage.
* NxFilter can block IP host in URL with its local proxy agents.
- Go index -
It doesn't get blocked/unblocked right away.
This is most likely from the DNS cache on your system. If you are on a Windows system there are two kinds
of DNS caches. One is from your browser and the other is from your Windows OS. Before the cache expires your
policy change for blocking/unblocking will not be working. Both caches expire eventually but you might want
to clear it out immediately. If it is a browser cache you can clear it out by restarting your browser.
If you want to clear out your Windows DNS cache, use the following command on CMD.
ipconfig /flushdns
Normally DNS cache from Windows expires in a day at the maximum. Of course it depends on TTL from DNS
record but I have not seen it being bigger than 86,400 seconds(1 day) usually. About browser cache it may
take several minutes to get expired. But it will be expired and blocked eventually. So in practice,
this is not a problem as you don't need to block/unblock a site many times a day.
- Go index -
How do I force a user to be filtered by NxFilter?
If you have a firewall in your network it is a simple task. You just need to block outgoing UDP/53, TCP/53
traffic except from NxFilter. And then you use DHCP to set up NxFilter to be the DNS server
for your network. Now NxFilter became the only DNS server that your users can use and their DNS setup
to point NxFilter will be done automatically.
- Go index -
How NxFilter determin which policy to apply for a user?
You can assign a policy to a user directly. If a user belongs to a group then a group policy overrides
a user policy. This is simple so far. But when you import users from Active Directory there might be
users belonging to multiple groups. You don't know which policy to apply to a user in this case.
To solve this problem, we introduced 'Priority Points' on a policy. If there are multiple groups and if they
have several different policies, the policy having the highest priority points will be applied. When you want
to find out which policy being applied to a user, use 'TEST' button on 'User & Group > User'.
- Go index -
What is the quickest way of blocking 'facebook.com'?
Add '*.facebook.com' into 'Whitelist > Domain' and check 'Admin Block' option.
- Go index -
I want to block 'facebook.com' only for students.
You need to be able to differentiate your students on NxFilter with authentication first. And then block
'Social Networking' category on a policy when you use Jahaslist. Then assign the policy to the user or group
for your students.
- Go index -
I want to allow sales department to use the Internet freely at lunchtime.
Create a user or a group for your sales department and define a free-time in 'Policy & Rule > Free Time'
then assign a free-time policy which is more lenient to the user or group.
- Go index -
How do I reset admin password?
We have '/nxfilter/bin/reset-pw.sh' script to reset admin password. Once you run the
script, the admin name and password will be reset to 'admin'. You need to run the script
while NxFilter working.
* There is '/nxfilter/bin/reset_acl.sh' to reset access restriction to GUI as well.
- Go index -
How do I bypass my local domain?
On 'DNS > Setup' You can set your local DNS server and local domain. With this setup if there
are DNS queries for your local domain NxFilter forwards the queries to your local DNS server
and bypass authentication, filtering and logging.
- Go index -
How do I enable debug mode?
When there is something wrong with NxFilter the first thing you can do is to find out
what is going on exactly with its log data. NxFilter keeps its system log data inside '/nxfilter/log' directory.
If you need more detailed log data, enable debug mode on '/nxfilter/conf/log4j.properties'.
Change 'INFO' to 'DEBUG' inside the file and restart NxFilter.
- Go index -
I don't see any username on 'Logging > Request'.
The first thing you need to check would be 'Enable Authentication' option on 'Config > Setup'. Some people
don't understand that they need to enable authentication before implementing any authentication method.
- Go index -
How do I restrict porn on Google, Youtube search result?
You can force safe-search from NxFilter. We have 'Safe-search' option on NxFilter policy.
* Safe-search enforcing for Yahoo requires a local proxy agent running on user system.
* Switching between 'Moderate' and 'Strict' makes difference only for Youtube.
- Go index -