| View previous topic :: View next topic |
| Author |
Message |
AmosMutke
Apprentice
Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.
|
 Posted: Mon Dec 26, 2005 2:35 pm Post subject: HOWTO: A parent's guide to Linux Web filtering |
 |
|
Table of Contents
- 1.0 - Introduction
- 2.0 - Requirements
- 3.0 - The Process
- install
- configure
- startup
- 4.0 - Notes
- working configurations
- url references
- 5.0 - Credits
- 6.0 - Changelog
1.0 - Introduction
Before I begin, I want to note that 90% of this howto was taken from linux.com article called "A parent's guide to Linux Web filtering". I'm sorry that I even took the same name for this article, but I feel that it draws attention to those who most likely to benefit from this howto, parents.
A Web filter is software that can filter the type of content a Web browser displays. The filter checks the content of a Web page against a set of rules and replaces any unwanted content with an alternative Web page, usually an "Access Denied" page. The type of content to be filtered is usually controlled by a systems administrator or a parent. Web filters are used in schools, libraries, and homes to safeguard children from obscene content on the Internet.
While the setup discussed in this article is intended for use on a single computer, this method of Web filtering can be applied to a wide range of scenarios. These tools can be easily and successfully implemented on a small home network, a large business infrastructure, or any environment that needs to comply with the Children's Internet Protection Act.
Bear in mind that Web filtering software of any kind is not 100% failsafe, nor is it a substitute for parental supervision. Along with installing filtering software, educate yourself and your children about the Internet.
Before you begin, you should be familiar with some basic networking concepts:
- A server, as in "Web server," is nothing more than an application that runs on a computer and listens for incoming requests. It sends back, or serves, information to the source that requested the information. This information can be anything from Web pages to databases. Each server communicates through the use of an IP address and a port number.
- Ports are logical addresses that applications on a computer use in a way similar to how we use phone numbers. Each server program must have a unique port that it uses for communications.
- Every computer connected to the Internet has both an external IP (Internet Protocol) address, usually assigned by an Internet service provider, and an internal address of 127.0.0.1. The internal address allows the computer to "listen" and "talk" to itself and is referred to as the loopback address. Normally a server is set up to accept requests from other computers on the Internet by listening on its external address. Since this can present a security risk for our single computer, we will use the loopback address instead. This will cause our server to only listen for requests from the computer that the server resides on.
- A firewall is an application that controls the types of communication your computer can send and receive. GNU/Linux has an excellent firewall called netfilter/iptables, or simply iptables, built right into the kernel, which we will make use of to redirect users' Web surfing through our Web filter.
I will attempt to keep it simple enough that anyone who was able to install Gentoo should be able to follow this.
2.0 - Requirements
I'm limiting this howto to using squid because it integrates easily and it's what I chose to use. Read the dansguardian faq for more info.
If you would like to contribute instructions for using a web proxy other than squid, please send them to me and I'll add them to this howto.
The only software you need to set up parental filters under GNU/Linux is iptables, DansGuardian, and Squid.
DansGuardian is the actual filtering software. It supports phrase matching, which allow you to block out Web sites that contain certain phrases or words; PICS filtering, which blocks content that's been labeled as possibly objectionable material by the creator of the Web site; URL filtering, to block content from specific sites that are known to contain offensive material; and blacklists, or lists of sites that contain content you want to block. Blacklists usually come from third parties, though you can create and maintain your own.
Squid is a Web proxy server that acts as a middleman between your computer and the Internet. You need a proxy server because DansGuardian isn't able to fetch Web pages by itself. We'll configure Squid as a transparent proxy, meaning we'll hijack network traffic and redirect it to a new destination -- our filter program, in this case -- without the need for the user to know that it is happening.
Iptables is the firewall management tool used with the 2.4.x and higher kernels. Let's check to see if iptables is already built into your kernel,
| Code: | # cd /usr/src/linux
# grep CONFIG_IP_NF_IPTABLES .config
CONFIG_IP_NF_IPTABLES=y
|
If you see # CONFIG_IP_NF_IPTABLES is not set, then you will need to modify your kernel. Otherwise, move onto section 3.1. If you need more information about compiling your kernel, please read this.
2.4.x kernel config
TODO - will someone please contribute
2.6.x kernel config
| Code: | Networking -->
--- Networking Support
Networking Options -->
[*] Network packet filtering (replaces ipchains) -->
|
3.0 - The Process
- 3.1 - install software
First check the USE flags before you install | Code: | | # emerge -vp dansguardian squid iptables |
If you wish to adjust some of the use flags, here's how. Then emerge.
| Code: | | # emerge dansguardian squid iptables |
3.2 - configure software
- 3.2.1 - Configure Squid
The default location for the Squid configuration file is /etc/squid/squid.conf. While most of the default settings for Squid are all right for our usage, you will need to edit the configuration file just a bit.
You will need to become the root user in order to make the changes and issue the commands shown in this article. You can do this by either logging in as root or with the su command.
Add or edit the following line to have Squid listen only on the loopback device on port 3128. This will cause Squid to act only as a proxy server for this computer and assigns it a specific port number to listen on:
| Quote: | | http_port 127.0.0.1:3128 |
To configure Squid as a transparent proxy, add the following lines to squid.conf:
| Quote: | httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on |
Since Squid is normally started by the system and run as root, you need to add the next two lines to /etc/squid/squid.conf in order to make Squid run with squid's user and group IDs:
| Quote: | cache_effective_user squid
cache_effective_group squid |
We will later use this to identify Squid to our firewall. Then we will allow the user squid to access the Internet while we redirect all other Web traffic through our filter.
3.2.2 - Configure Dansguardian
Our next step is to configure DansGuardian. The default location for the configuration files is /etc/dansguardian/dansguardian.conf. Once again, most of the default values are fine, but we need to make a few changes.
First, add or edit the following line to make the filter use HTML templates, which are static Web pages that our filter will use to display the "Access Denied" page instead of the inappropriate sites. Using HTML templates keeps us from having to set up a Web server to display the "Access Denied" information.
| Quote: | | reportinglevel = 3 |
Next, add or edit the following lines to make DansGuardian listen on the loopback address and port 8080:
| Quote: | filterip = 127.0.0.1
filterport = 8080 |
Add or edit the following line to tell DansGuardian which address and port that Squid is listening on. This enables our filter to fetch the requested Web content through the proxy.
| Quote: | proxyip = 127.0.0.1
proxyport = 3128 |
Again, to keep your filter from running as root you need to change the user that it will run as. For simplicity, we will reuse the user and group that we previously set up for Squid. Add or edit the following to make DansGuardian run with UID and GID of squid:
| Quote: | daemonuser = 'squid'
daemongroup = 'squid' |
Because Dansguardian relys on squid to be running before it starts, we need to make one smale change to /etc/init.d/dansguardian. Add squid to the depend() function.
| Quote: | depend() {
need net squid
use dns \
squid apache2 bfilter mman junkbuster oops polipo privoxy tinyproxy wwwoffled
#dansguardian could be used in conjuction with any of the above web proxies
}
|
While DansGuardian provides an excellent filter all by itself, you may want to exercise further control over the Web filtering by editing the other files in the /etc/dansguardian directory that contain external blacklists. Blacklists from squidGuard and URLBlacklist work perfectly with DansGuardian. Each file contains a brief explanation for its contents to make configuration easier.
3.2.3 - Configure iptables
Once you have Squid and DansGuardian set up, the final step is to implement a transparent proxy using iptables. Use the following commands at the command line to add rules to the firewall to allow the user squid to access both the Internet and the Squid proxy we set up.
| Code: | iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT |
If you want a user to be exempt from filtering -- a parent, for example -- issue the following command. Replace EXEMPT_USER with the username that you wish to exempt from filtering. Add as many of exempt users as you wish. (root is recommended to help prevent an unlikely conflict with portage):
| Code: | | iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner EXEMPT_USER -j ACCEPT |
The next command redirects Internet traffic from all users, other than squid and any exempt users, to the filter on port 8080:
| Code: | | iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080 |
Since we have a proxy server set up, a user could configure a Web browser to bypass the filter and access the proxy directly. The Squid proxy is listening for requests from the computer, and it doesn't care which user sends the request. We could set up our firewall to deny all access to the proxy except from our filter, but let's be a little sneakier. Let's set it up so that direct requests to the Squid proxy server, except from our filter, get redirected through the filter. To do this, use the following command:
| Code: | | iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080 |
3.3.0 - Kick the tires and light the fires
First let's make sure our web content filtering system will start each time the computer boots.
| Code: | # rc-update add iptables default
* iptables added to runlevel default
* rc-update complete.
# rc-update add squid default
* squid added to runlevel default
* rc-update complete.
# rc-update add dansguardian default
* dansguardian added to runlevel default
* rc-update complete. |
And now we are ready to start everything up.
| Code: | # /etc/init.d/iptables start
* Loading iptables state and starting firewall ... [ ok ]
# /etc/init.d/squid start
* Starting squid ... [ ok ]
# /etc/init.d/dansguardian start
* Starting DansGuardian ... [ ok ] |
4.0 - Notes
- 4.1 - Tried and True
This howto has been tested and works on the following configurations
- gentoo-sources-2.6.14, iptables-1.3.4, squid-2.5.11, dansguardian-2.8.0.6-r1
- 4.2 - References
Here is a list of useful references in no particular order
5.0 - Credits
This Howto is heavily based on an article published on www.linux.com. A parent's guide to Linux Web filtering
- have your name added here by helping to make this howto better. Check the TODO list at the bottom.
6.0 - Changelog
- December 26, 2005:
- initial release for peer review
:TODO
- Add 2.4.x kernel config options for iptables.
- Other things I haven't thought of. |
|
| Back to top |
|
 |
bemis
Tux's lil' helper
Joined: 30 Mar 2004
Posts: 136
Location: USA
|
| Posted: Mon Dec 26, 2005 9:51 pm Post subject: |
|
|
good writeup - a few ideas:
- since you can't be sure that /usr/src/linux/.config is actually the config of the kernel being used, either | Code: | | zcat /proc/config.gz | grep ILTER |
or | Code: | | strings /proc/kallsyms | grep netfilt |
work quite well.
-logging - do both squid and dansguardian have the ability to "report" my children's activities to me?
-SOCKS4/5 based proxy instead of port-based? is it possible in this set up?
that's all i can think of offhand
_________________
Y'know, somewhere along the line, my brain got wired directly to my fingers .. I'm not even consulted anymore in the decision making processes.
-bemis |
|
| Back to top |
|
|
AmosMutke
Apprentice
Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.
|
| Posted: Tue Dec 27, 2005 12:41 am Post subject: |
|
|
| bemis wrote: | good writeup - a few ideas:
- since you can't be sure that /usr/src/linux/.config is actually the config of the kernel being used, either | Code: | | zcat /proc/config.gz | grep ILTER |
or | Code: | | strings /proc/kallsyms | grep netfilt |
work quite well. |
The first option only works if you selected
General Setup -->
[*] Kernel .config support
but the second option seems as a save universal test. I'll make that change. Thanx.
| bemis wrote: | -logging - do both squid and dansguardian have the ability to "report" my children's activities to me?
|
To have the proxy "invisible" (by which I mean, not require any additional configureation by the user) squid and Dansguardian cann't log the user name. If I remember correctly, squid does have the possibility to use pam for authentication, but besides having to set proxy information, the passwords are sent in plain text and would be a security risk.
HOWEVER... You can determine the offending party by looking at the wtmp information and comparing to the timestamp in the dangsguardian log. I'm currently writing scripts to auto extract this data. (of course this wouldn't work if your user was using cron to attempt access when they are not logged in. If you your kids are clever enough to figure this out, they deserve a reward)
| bemis wrote: | You can setup squid to log usernames, but from what I've been able to figure out, this would require proxy authentication. This means that the proxy would not be invisible. You would have to manually configure
-SOCKS4/5 based proxy instead of port-based? is it possible in this set up?
that's all i can think of offhand |
I don't know. Wouldn't those methods require you to modify your proxy settings in the web browser? That was something I wanted to avoid.
What would be the benifit of this method?
thanx alot for your suggestions. |
|
| Back to top |
|
|
alexlm78
Veteran
Joined: 08 Dec 2003
Posts: 1265
Location: Guatemala,Guatemala
|
| Posted: Tue Dec 27, 2005 8:13 pm Post subject: |
|
|
Excelent guide, tonight i implement it.
_________________
"This is a different kind of world, you need a different kind of software"
Linux User# 315201
100% Chapin hecho en Guatemala |
|
| Back to top |
|
|
rev138
l33t
Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA
|
| Posted: Tue Dec 27, 2005 8:17 pm Post subject: |
|
|
| As an FYI, dansguardian-dgav (~x86) has built in virus scanning as well. The set up is more or less the same. |
|
| Back to top |
|
|
AmosMutke
Apprentice
Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.
|
| Posted: Wed Dec 28, 2005 1:10 am Post subject: |
|
|
as a status update.. this has been running on my mothers computer for 3 days and appears to be working very well.. Only snag so far was that it blocked the kids from downloading pokemon and dragonball videos. by default it blocks many video types, but you can change it by commenting them out with a preceding "#" character in /etc/dansguardian/blockedmimetypes
[EDIT]
And I should have also mentioned that if you currently run iptables as a firewall, you will need too manually add the new iptable rules in the appropriate places or it may not work...
And if your computer connects directly to the internet (ie not behind some type of firewall) it will be fairly exposed. The iptable rules given are not meant to protect you from hacking attack... that's an entirely different problem.. |
|
| Back to top |
|
|
LinuxJoe
n00b
Joined: 23 Aug 2005
Posts: 54
Location: Charlotte, NC
|
| Posted: Thu Dec 29, 2005 7:20 pm Post subject: |
|
|
At my house, we have the same thing implemented, only it uses IPcop and cop+
Took my dad and I about half a day to set up, now we don't need to mess with it, but when we do there is a web interface. Cop+ is basically the dansguardian, but alredy configured for IPcop.[/url]
_________________
3E Ghz Prescott + 1GB RAM + ATI 9700 Pro + Gentoo...
What else do you need? |
|
| Back to top |
|
|
AmosMutke
Apprentice
Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.
|
| Posted: Fri Dec 30, 2005 8:24 am Post subject: |
|
|
| LinuxJoe wrote: | At my house, we have the same thing implemented, only it uses IPcop and cop+
Took my dad and I about half a day to set up, now we don't need to mess with it, but when we do there is a web interface. Cop+ is basically the dansguardian, but alredy configured for IPcop.[/url] |
When I lived with my brother before I moved to Japan I built an ipcop firewall. I really loved it. extremly simple to install and use, only need a monitor and keyboard for install, etc. etc. I had it do ad filtering. I noticed an increase in internet browsing speed, even with broadband. I have nothing but good things to say about ipcop. We had 4 computers behind the firewall (3 were mine  ) and ipcop ran like a prized greyhound.
However, This howto is for people (like my mom) who only have a single computer (and running Gentoo of course) in the house and wish to provide content filtering for their children. I decided to move my mom to Gentoo for several reasons. My younger 16 year old brother kept filling the computer with spyware, virues, and generally just ef'n up the computer. Net Nanny didn't do much except block my mother from websites and crash the computer. Now with Gentoo I can truely control what is happening on the computer to make my life (as the family computer admin) easier.
The entire system was installed remotely. I had my brother boot the computer with the Gentoo Live CD and start ssh. Other than calling home to take the CD out of the tray, I did it all myself a couple thousand miles away. God I love Gentoo.
Thanks for the advice. If people have old computer hardware around, they should consider it. |
|
| Back to top |
|
|
rev138
l33t
Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA
|
| Posted: Fri Dec 30, 2005 1:05 pm Post subject: |
|
|
| AmosMutke wrote: | | I noticed an increase in internet browsing speed, even with broadband. |
I don't understand how adding an additional layer between you and the internet could make browsing faster. If anything, one would expect the reverse.
Was this increase in "speed" from a caching proxy? |
|
| Back to top |
|
|
Sheepdogj15
Guru
Joined: 07 Jan 2005
Posts: 430
Location: Backyard
|
| Posted: Sun Jan 08, 2006 1:56 pm Post subject: |
|
|
This guide is fairly easy to redact for use on a dedicated, Gentoo based, firewall/router box. i know, because i just got done setting it up and already got my first Access Denied page 
I'll just note some changes i had to make:
- I'm using Shorewall as an interface for IPTables. now, i'm not sure if my configuration is quite right... in fact it's probably wrong (instead of using 127.0.0.1[loopback], i had to keep using the computers LAN IP [10.0.0.1]). however it works so 'tis all good
- Here are my custom settings in squid.conf:
| Code: | httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
http_port 10.0.0.1:3128
cache_effective_user squid
cache_effective_group squid
acl my_network src 10.0.0.0/24
http_access allow my_network |
the last bit will set your proxy to only respond to requests from your LAN (be sure to set the appropriate IP subnet).
Also, i hope to tweak the cache settings in a bit, if i find any neat settings or tricks, i'll comment on them here
My dansguardian.conf only has a couple of differences: filterip has to be left blank, and proxyip is set to the IP on the LAN interface (10.0.0.1)
Dansguardian nagged the first time it started up because it couldn't write a log file. (You may need to comment on this in your howto, AmosMutke.) The fix is to change the folderpermissions:
| Code: | | chown squid:squid /var/log/dansguardian |
The setup seems to work fine with these shorewall rules... I would assume the iptables equivalent commands would be a similar to those in AmosMutke's howto. here's the changes to my /etc/shorewall/rules: (and there would be a lot of carry over too if you are just using shorewall on your PC... just change the loc zone to $FW)
| Code: | REDIRECT loc 3128 tcp 8080
REDIRECT loc 8080 tcp 80 - !10.0.0.1,127.0.0.1
ACCEPT loc net tcp 443 # remember, squid doesn't proxy for secure http
AllowWeb $FW net |
And for added security, disable direct http (port 80) access from the loc zone to the net.
I think that's about it. works fine for me. my only other suggestion is to set it up first without transparency to make sure it works (that is, actually configure your web browser with the appropriate proxy address and port -- headache insurance ). then do the redirects and such.
_________________
Sheepdog
Why Risk It? | Samba Howto |
|
| Back to top |
|
|
Sheepdogj15
Guru
Joined: 07 Jan 2005
Posts: 430
Location: Backyard
|
| Posted: Mon Jan 09, 2006 11:01 pm Post subject: |
|
|
anyone know a good site for white lists for dansguardian? i already am annoyed trying to get spybot and other Windows tools to update.
_________________
Sheepdog
Why Risk It? | Samba Howto |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1740
Location: Emerald Isles, observing Dublin's docklands
|
| Posted: Fri Jan 13, 2006 1:23 pm Post subject: |
|
|
I'd like to point out that web content *filtering* is something you really shouldn't be doing as a *parent* -- ever!
Now, before you start flaming, hear me out!
As a parent, you will probably want to protect your child from something that you think to be inappropriate content. That's fine -- that's your job. It's your responsibility to do it. Your kids need to use the internet for all sorts of things -- from doing research for homework to chatting with friends. Since there's a lot of inappropriate content on the internet, you thus need to make sure they don't get there. The only way to really do this is *sitting next to your kids while they surf*. Automatic filtering software like Dansguardian will never work properly for two simple reasons:
a) The software is a very stupid bugger. It doesn't know what's appropriate, so it basically does word counting and some heuristics to figure out if content is appropriate (unless the content is marked with certain tags, which isn't very likely). Word counting will never really work properly. You get a lot of false positives -- you get a lot of false negatives. Right now I work at a state school as a systems administrator, and we do use dansguardian because some laws require us to make sure the kids are supervised while surfing and we can't afford to have 4 or more teachers in one computer room along with the classes to make sure they don't pull odd moves. As one of the network administrators, my job -- among other things -- is rereading the logfiles of Dansguardian and finding out if some of the kids are looking for porn or DIY bombing kit instructions. Now guess what 99.9% of the time gets stuck in the filter? Educational articles on biology and chemistry, sites that contain news articles on things like homosexual marriage laws, and the like. Once I even found hits on of our more liberal political parties' website, which was completely okay and appropriate! Is that the type of things you want to protect your kids from? I don't think so. You will likely try to protect them from badbad movies and picture galleries. I took the test, that doesn't work. You can't ban video files, and the filter isn't likely to detect picture galleries as bad unless they contain a lot of pornographic advertisements. Not that this would be of any use, since you mostly need a credit card to enter sites like that in the first place! Now, thinking of something like "webpagesthatsuck.com", I come to my other point...
b) ..., which is that your kids are likely smarter than you with computers and it's fairly easy to circumvent lousy protections like these. I know you really don't want to hear things like that, but I can tell you from experience that kids get very creative when it comes to trying to get somewhere they're not supposed to. When I was still going to grammar school, being a 13 year old smartypants, we were allowed to surf the net whenever we felt like it. There was one room with a handful of computers for us pupils and you could borrow the key whenever you had nothing to do and wanted to surf the net. At first, we had only some very cheap firewall, with everything except port 80 being locked so we couldn't chat on Jabber/IRC/ICQ/AIM/Yahoo/MSN/whatever. Well, that was unless you knew one of the many thousand public proxies to use that were on port 80, then it was easy to get around that... Then some teacher complained that he wasn't able to get material off an FTP server, and our computer guy decided to drop the firewall completely, leaving us with access to everything. Then another guy came along and wanted some sort of adult-material-filter, which meant everything was free, except for ports 80, 3128 and 8080 which all went to a local transparent proxy that checked the content, much like this one. Well, kids like me that had a computer at home didn't find it very difficult to just set up a proxy at home on some port like 8000 instead of 8080. Then you just use something like dyndns and add your home-router-thing as your local proxy, and once again you were able to surf everything without getting annoying "access denied"-pages. Then our teacher did something inherently stupid: he blocked access to every access to the outside world unless it went through the proxy. I noticed that because it ever so much annoyed me that I couldn't SSH home. But, guess what, the proxy allowed CONNECTs! You could do everything you wanted through the local proxy, like using SSH, if you just did some fancy routing/tunnelling (I wrote a Howto on something similar somewhere in this forum. you really only need one free port to do nat through an outside box and circumvent any type of filter inbetween).
Well, you might of course prevent your child from aquiring these skills with all the false positives going off at random (that Howto/technical document on networking might be on a server that uses adult advertisements to stay afloat after all... or just plain sites like the one I mentioned earlier that gets banned rather often because of words like "sucker"), but since I was able to do all this with 13, your child might as well be, and then you wouldn't even have a chance.
Now, if you also remember that most adult material -- like porn, or songs with badbad lyrics that were on CDs with a "parental advisory"-sticker -- aren't even gotten off the web (ugh, I hate that word, it sounds so wrong), but instead off networks like eDonkey, GNUtella, BitTorrent or good old Usenet and IRC -- maybe even via instant messenger services (I had a buddy on AIM that would always send me odd pictures every other day), and that you can almost always connect to services like that with a little bit of skill in networks and either a rented rootbox or some friend that's willing to run a proxy for you, then you will hopefully give up futile attempts like content filtering. The best they can do is annoy the kids if they got some smarts at all -- or *you*. Imagine you want to do research on the net and then get a completely legitimate site banned because the writer of the article doesn't share your idea of what's appropriate and what isn't and didn't mind "four-letter-words", or his webspace provider placed porn ads on the poor guy's site. You might even end up not being able to read your eMail via webmail because of spam mail with explicit subject lines being listed in your inbox overview!
*Don't do it*! Either only let your kids browse the web while you're sitting next to them or don't overprotect them from "inappropriate content". It's futile, really, unless your filter has it's own AI that really understands your goals!
(sorry for that long post, but sissy stuff like that really gets me started)
P.S.: still a good howto, honestly, and the bits on setting up a transparent proxy and the possiblity to make dansguardian check for virii on the fly along with squid being able to decrease your consumed bandwidth make it rather useful a thing to do, just don't be naive and use it to "protect" your kids.
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( Twitter | Blog | GitHub )
Last edited by mdeininger on Fri Jan 13, 2006 4:46 pm; edited 1 time in total |
|
| Back to top |
|
|
rev138
l33t
Joined: 19 Jun 2003
Posts: 848
Location: Vermont, USA
|
| Posted: Fri Jan 13, 2006 2:09 pm Post subject: |
|
|
| mdeininger wrote: | | When I was still going to grammar school, being a 13 year old smartypants, we were allowed to surf the net whenever we felt like it. |
Wow. I think this is officially the first time in my life where something that someone has said made me feel old.
When I was in grammar school, we has Apple IIs and C64s. Surf the net? Ha! There wasn't even a LAN |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1740
Location: Emerald Isles, observing Dublin's docklands
|
| Posted: Fri Jan 13, 2006 4:14 pm Post subject: |
|
|
| rev138 wrote: | | mdeininger wrote: | | When I was still going to grammar school, being a 13 year old smartypants, we were allowed to surf the net whenever we felt like it. |
Wow. I think this is officially the first time in my life where something that someone has said made me feel old.
When I was in grammar school, we has Apple IIs and C64s. Surf the net? Ha! There wasn't even a LAN |
*g* I'm sorry for that. Our school was some sort of "testbed" for new ideas and concepts, so we had all sorts of odd subjects like IT basics and a mix between maths, physics, chemistry, biology, geology and "how to do a presentation using modern media" (all in one subject), so we really had to have somewhat-new computers. The room we were allowed to use without teachers had ~100Mhz pentiums which our teachers were rather fond of at the time. I think they stocked up to two rooms with P4s with 3Ghz and flatscreens last year, leaving the "old" P3s to the pupils to play with.
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( Twitter | Blog | GitHub ) |
|
| Back to top |
|
|
slam633
n00b
Joined: 01 Oct 2004
Posts: 40
Location: Fear me, for I am truly evil.
|
| Posted: Fri Jan 13, 2006 7:50 pm Post subject: |
|
|
In high school, I had to take a bus across town, to the local college, just to take computer classes.
_________________
"Beer is proof God loves us, and wants us to be happy. Ben Franklin" |
|
| Back to top |
|
|
Sheepdogj15
Guru
Joined: 07 Jan 2005
Posts: 430
Location: Backyard
|
| Posted: Tue Jan 17, 2006 1:04 am Post subject: |
|
|
| mdeininger wrote: | I'd like to point out that web content *filtering* is something you really shouldn't be doing as a *parent* -- ever!
Now, before you start flaming, hear me out!
As a parent, you will probably want to protect your child from something that you think to be inappropriate content. That's fine -- that's your job. It's your responsibility to do it. Your kids need to use the internet for all sorts of things -- from doing research for homework to chatting with friends. Since there's a lot of inappropriate content on the internet, you thus need to make sure they don't get there. The only way to really do this is *sitting next to your kids while they surf*. Automatic filtering software like Dansguardian will never work properly for two simple reasons:
a) The software is a very stupid bugger. It doesn't know what's appropriate, so it basically does word counting and some heuristics to figure out if content is appropriate (unless the content is marked with certain tags, which isn't very likely). Word counting will never really work properly. You get a lot of false positives -- you get a lot of false negatives. Right now I work at a state school as a systems administrator, and we do use dansguardian because some laws require us to make sure the kids are supervised while surfing and we can't afford to have 4 or more teachers in one computer room along with the classes to make sure they don't pull odd moves. As one of the network administrators, my job -- among other things -- is rereading the logfiles of Dansguardian and finding out if some of the kids are looking for porn or DIY bombing kit instructions. Now guess what 99.9% of the time gets stuck in the filter? Educational articles on biology and chemistry, sites that contain news articles on things like homosexual marriage laws, and the like. Once I even found hits on of our more liberal political parties' website, which was completely okay and appropriate! Is that the type of things you want to protect your kids from? I don't think so. You will likely try to protect them from badbad movies and picture galleries. I took the test, that doesn't work. You can't ban video files, and the filter isn't likely to detect picture galleries as bad unless they contain a lot of pornographic advertisements. Not that this would be of any use, since you mostly need a credit card to enter sites like that in the first place! Now, thinking of something like "webpagesthatsuck.com", I come to my other point...
b) ..., which is that your kids are likely smarter than you with computers and it's fairly easy to circumvent lousy protections like these. I know you really don't want to hear things like that, but I can tell you from experience that kids get very creative when it comes to trying to get somewhere they're not supposed to. When I was still going to grammar school, being a 13 year old smartypants, we were allowed to surf the net whenever we felt like it. There was one room with a handful of computers for us pupils and you could borrow the key whenever you had nothing to do and wanted to surf the net. At first, we had only some very cheap firewall, with everything except port 80 being locked so we couldn't chat on Jabber/IRC/ICQ/AIM/Yahoo/MSN/whatever. Well, that was unless you knew one of the many thousand public proxies to use that were on port 80, then it was easy to get around that... Then some teacher complained that he wasn't able to get material off an FTP server, and our computer guy decided to drop the firewall completely, leaving us with access to everything. Then another guy came along and wanted some sort of adult-material-filter, which meant everything was free, except for ports 80, 3128 and 8080 which all went to a local transparent proxy that checked the content, much like this one. Well, kids like me that had a computer at home didn't find it very difficult to just set up a proxy at home on some port like 8000 instead of 8080. Then you just use something like dyndns and add your home-router-thing as your local proxy, and once again you were able to surf everything without getting annoying "access denied"-pages. Then our teacher did something inherently stupid: he blocked access to every access to the outside world unless it went through the proxy. I noticed that because it ever so much annoyed me that I couldn't SSH home. But, guess what, the proxy allowed CONNECTs! You could do everything you wanted through the local proxy, like using SSH, if you just did some fancy routing/tunnelling (I wrote a Howto on something similar somewhere in this forum. you really only need one free port to do nat through an outside box and circumvent any type of filter inbetween).
Well, you might of course prevent your child from aquiring these skills with all the false positives going off at random (that Howto/technical document on networking might be on a server that uses adult advertisements to stay afloat after all... or just plain sites like the one I mentioned earlier that gets banned rather often because of words like "sucker"), but since I was able to do all this with 13, your child might as well be, and then you wouldn't even have a chance.
Now, if you also remember that most adult material -- like porn, or songs with badbad lyrics that were on CDs with a "parental advisory"-sticker -- aren't even gotten off the web (ugh, I hate that word, it sounds so wrong), but instead off networks like eDonkey, GNUtella, BitTorrent or good old Usenet and IRC -- maybe even via instant messenger services (I had a buddy on AIM that would always send me odd pictures every other day), and that you can almost always connect to services like that with a little bit of skill in networks and either a rented rootbox or some friend that's willing to run a proxy for you, then you will hopefully give up futile attempts like content filtering. The best they can do is annoy the kids if they got some smarts at all -- or *you*. Imagine you want to do research on the net and then get a completely legitimate site banned because the writer of the article doesn't share your idea of what's appropriate and what isn't and didn't mind "four-letter-words", or his webspace provider placed porn ads on the poor guy's site. You might even end up not being able to read your eMail via webmail because of spam mail with explicit subject lines being listed in your inbox overview!
*Don't do it*! Either only let your kids browse the web while you're sitting next to them or don't overprotect them from "inappropriate content". It's futile, really, unless your filter has it's own AI that really understands your goals!
(sorry for that long post, but sissy stuff like that really gets me started)
P.S.: still a good howto, honestly, and the bits on setting up a transparent proxy and the possiblity to make dansguardian check for virii on the fly along with squid being able to decrease your consumed bandwidth make it rather useful a thing to do, just don't be naive and use it to "protect" your kids. |
definitely some good points. parental supervision would be your best bet any day.
also, if it were me i wouldn't even let kids have computers in their own room, but keep the computers in an open area (family room? tell me someone else would note the irony).
somehow, lockout the internet at night. yeah, i don't have any good ideas on how do to that either, but trust me. when i stayed the night at my friends house, we'd wait until their parents went to bed and then raided his dad's pr0n stash. (woopsidaisy. i think i got this thread blocked in dansguardian  ).
aside, we just got onto the internet my last couple of years when i was in high school. i think the worst hijinx i got into was when we discovered how to change the wallpaper 
_________________
Sheepdog
Why Risk It? | Samba Howto |
|
| Back to top |
|
|
GoofballJM1
Guru
Joined: 22 Mar 2004
Posts: 392
Location: Denver, CO USA
|
| Posted: Tue Jan 17, 2006 4:43 pm Post subject: |
|
|
Um, these are good points and all, but shouldn't this be posted in the OTW section instead of this Howto? 
_________________
"Great spirits have often encountered violent opposition from weak minds." - Albert Einstein |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1740
Location: Emerald Isles, observing Dublin's docklands
|
| Posted: Wed Jan 18, 2006 10:31 am Post subject: |
|
|
| GoofballJM1 wrote: | | Um, these are good points and all, but shouldn't this be posted in the OTW section instead of this Howto? |
*d'uh* yeah, i think you're right there... *looks at post in shame*
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( Twitter | Blog | GitHub ) |
|
| Back to top |
|
|
AmosMutke
Apprentice
Joined: 24 Dec 2003
Posts: 235
Location: Akita, Japan.
|
| Posted: Fri Jan 20, 2006 12:17 am Post subject: |
|
|
| mdeininger wrote: | I'd like to point out that web content *filtering* is something you really shouldn't be doing as a *parent* -- ever!
Now, before you start flaming, hear me out!
|
This isn't a flame, but I disagree with your points. You're saying that since it's not perfect, you shouldn't bother at all. Of course, when there's a will, there's a way. If your kids are determined to see porn, they will probably succeed. The introduction even says that this should not be considered a 100% replacement to parental supervision. However, I think the greater risk comes from the potentially dangerous programs that come from the sites that lure you in with promise of software cracks or porn.
I ssh to my mom's computer once a week to see what has been blocked. My mom has told me they are afraid that I can see everything they are doing... I told her the truth.. I can... She said they are afraid to do stuff now. Quite literally the presece of big brother keeps them in line. I told my younger siblings to let me know if they are being blocked to a website they feel they should have access too.
Lastly, if kids are clever enough to setup a remote proxy to bypass the system, do you really think that a little porn is going to spychologically scar them? I wish my siblings were that clever, but I still get IM's saying the printer isn't working when they don't have it plugged in. They're a bunch of PEBKACs.
| rev138 wrote: | | AmosMutke wrote: | | I noticed an increase in internet browsing speed, even with broadband. |
I don't understand how adding an additional layer between you and the internet could make browsing faster. If anything, one would expect the reverse.
Was this increase in "speed" from a caching proxy? |
It's simple. It's a matter of latency over bandwidth. My firewall/webfilter computer cached webpages and images which cut down on bandwidth. It also used a blacklist of known ad sites. This dramatically cut down on the number of images (ads), cookies, spyware, adware, etc. being downloaded from these sites. The overhead cost of filtering requests is far less than the bandwidth used to download the unwanted "fat" from the content.
Lastly.. Sheepdogj15, thanx for your input. I'll try and make some revisions to my howto in the near future. |
|
| Back to top |
|
|
mdeininger
Veteran
Joined: 15 Jun 2005
Posts: 1740
Location: Emerald Isles, observing Dublin's docklands
|
| Posted: Fri Jan 20, 2006 1:25 pm Post subject: |
|
|
| AmosMutke wrote: |
This isn't a flame, but I disagree with your points.
|
ah, not to worry, I was only adding that as the first part of the post as I have a tendency to provoke replies of the form "STFU u fr1gg3n commun1st punk!", yours seemed rather logical and I wouldn't have seen that to be a flame.
You're right about all this... "malware" floating around, dialers, browser-bar hijacks (if you're using internet explorer), things like that, that's one of the really good things about Dansguardian; that actually saved some of our computers around here (well, we need a crack every now and then. It's not about getting the stuff for free, but things like MS Office that need reactivation if you make the host-image on the wrong box aren't exactly kosher, so we crack around that.) I also admit I hadn't thought too much about the "Big Brother Effect", even though that's what keeps some of our teachers from accessing certain websites. Still, if it was me I'd limit the filter to virii and things, simply because of all the annoying false positives, and I really think the web is the least of your problems when it comes to inappropriate content. I mean, really, all of my buddies get their porn off eDonkey and Usenet and then spread 'em to other buddies via E-Mail, how's that gonna get filtered?
Now, if you could use Dansguardian to filter Usenet and EMail, that'd be something else entirely...
_________________
"Confident, lazy, cocky, dead." -- Felix Jongleur, Otherland
( Twitter | Blog | GitHub ) |
|
| Back to top |
|
|
Headrush
Watchman
Joined: 06 Nov 2003
Posts: 5597
Location: Bizarro World
|
| Posted: Wed Jan 25, 2006 1:40 am Post subject: |
|
|
I agree with you AmosMutke in regards to mdeininger response.
Sure no system is perfect, but as a system administrator you know you have to continually refine the process. I would rather err on the cautious side and then whitelist sites as needed rather than just scrap the idea.
Even if you remove 80% of questionable material it still is a tremendous help and that it can be bypassed doesn't really matter. Why do porn spammers send so much to your email... the more you think about it or see it, they greater chance you will click a link or look for that stuff on the Internet. Even as an adult, the less I am reminded, the less I think about it.
I think this always be over your child's shoulder when surfing premise is unrealistic. Whoever said they shouldn't have a computer in their room was bang on, TVs too.
I don't block specific sites on my firewall or use any filtering other than preventing popups on my browsers which helps tremendously even when surfing as an adult.
(Gotta love when using IE and a porn add pops up and when you hit close it opened 10 more windows. Good old ALT-F4) |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
| Posted: Sun Feb 19, 2006 10:24 pm Post subject: |
|
|
As a parent of late teenage children I wish I had used some filtering when they were a bit younger. Its easier as a parent to have tight rules which you relax as they get older as opposed to discivering they are accessing stuff and trying to reign it back again.
ive got squid & danguardian and shorewall
So I didnt have to go round changing browsers configs
I added | Code: |
REDIRECT loc 3129 tcp 80 |
to /etc/shorewall/rules.
i think this just points any requests from the lan for port80 to the DG/squid setup
After spotting some 3am entries in the logs I prevent nocturnal access by having a couple of cronjobs that take the network interface down at 00.20 and brings it up at 0700. If I occasionally neeed to access the internet during those times I manually bring the interface up.
Ive got a perl script half done that inspects the DG log just before logrotate and sends an email with containing lines that DG have filtered out . Once its tidied upa bit I'll happily share it with anyoen who wants it
_________________
join the optout - http://nhsconfidentiality.org |
|
| Back to top |
|
|
batistuta
Veteran
Joined: 29 Jul 2005
Posts: 1384
Location: Aachen
|
| Posted: Wed Jul 26, 2006 2:23 pm Post subject: |
|
|
Hi guys. I have a silly question. I mean silly, because I don't know anything about routing tables and stuff. But my problems is similar to that of many people. I have an integrated DSL modem+wireless router with a few computers behind. I would like to set up the proxy on my box, but to filter traffic going to all other machines in my small LAN. Is it possible to direct all traffic to my computer, and then from there to the other machines? Would this require turning off DHCP in the router and putting it on my machine? Would the W-LAN work after that?
This is such a typical setup, that I'm sure someone has already come up with a solution...
the only one that I can think of is putting the router as a client behind my machine and another between my machine and the net |
|
| Back to top |
|
|
thecooptoo
Veteran
Joined: 27 Apr 2003
Posts: 1353
Location: UK
|
|
| Back to top |
|
|
batistuta
Veteran
Joined: 29 Jul 2005
Posts: 1384
Location: Aachen
|
| Posted: Thu Jul 27, 2006 8:30 am Post subject: |
|
|
| I have a FRITZ!Box Fon WLAN 7050 (connecting to the internet). Alternatively, I have a Linksys WRT54G functioning as a repeater. Both run linux so I could tweak some stuff in them if needed although I really don't want to. However, both support port forwarding. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Documentation, Tips & Tricks
