on Thu, Jul 08, 2004 at 07:55:41PM -0700, Kenward Vaughan (kay_jay@earthlink.net) wrote:
> I'm searching for a good system (squid + add on) for my firewall which
> will do a reasonable job knocking out obvious problem sites for my kids
> as they use the Web. So far I've seen mentions of squidguard and
> dansguardian, but don't know of others to consider, if there are any.
>
> Does anyone have thoughts about either of these possibilities? The
> only previous post I found concerning both turned out to be a
> discussion about using one in particular.
>
> My current (Shorewall based) firewall is my original 486/66 (48 Mb ram)
> which also works well as our gateway. I don't know what this will do
> to it, though. Anybody have thoughts about this part?
I'm running a computer lab for a kids/teen center, and am using both
Squid and Dansguardian. I've got Squidguard installed but not
configured, more to follow. And I use iptables for some stuff.
Dansguardian as a basic filtering proxy *rocks*. It's *very* good, and
has a really good true/false positive/negative trend.
If you set it up on a client-by-client basis, you can set different
filtering levels for different clients. I've chosen *not* to do this,
instead forwarding all traffic as a transparent web proxy through
iptables (one of two things going on, more later).
The basic configuration files are both sane and highly effective.
You'll probably want to add some exceptions to both the pass and fail
lists. In particular, I found that image seach sites
(images.google.com, and related) were a tough set to filter based on
rules alone. Try searching "girlfriend" and you'll see what I mean. A
lot of skin, with no words to filter content. The "safe mode on" Google
setting turned out be a complete non-starter as it effectively let
*everything* through. So those sites got banned.
Since then, I've had a couple of pages sneak through, mostly via
banners. I suspect Asian pr0n might as well, though in general, foreign
language coverage is pretty darned good. Mostly it's banner sites. For
these, I've taken two approaches:
- Block the major banner sites alltogether. In particular, popups are
a major hassle. They confuse kids, and disrupt sessions "Hey,
Karsten, I just won....". Though they provide many teachable
moments on Internet safety, advertising, and protecting personal
information.
- For a few sites, largely minor ones, the banners get through without
leaving a trace in Dansguardian. For these, I'll track down the IP,
find the allocation for the upstream ISP, and simply block the whole
range. "REJECT" for outbound traffic and "DROP" for inbound. This
keeps the kids' browsers from hanging, but ties up the remote
webserver until timeoute should it try to connect for any reason.
You will get a broken image icon for these sites.
If you want to set or bypass filters for all or part of a site, you can
do this as well.
Dansguardian also:
- Filters by extension. Kids can't d/l executables. Could also block
MP3s, WMAs, OOGs, etc., if I wanted to.
- Filters by classification. Not just pr0n, but violence, chat, and a
number of other categories.
- Provides specific and meaningful logging information. What client
requested what site, whether it was passed or DENIED, and what
reasons.
The main detraction to dansguardian is that it posts a big "denied" page
up for anything that was denied. For some banners, you just want a
transparent drop. What I do at home is control this via DNS, declare
myself authoritative for a number of domains, send all traffic to a
virtualhost on my local webserver, and serve up a light green 1x1 PNG
for all requests (the blocked content). Results can be seen at:
http://linuxmafia.com/~karsten/Images/green-is-blocked-ads.png
Squidguard gives a finer level of control, and for content which:
1. You don't particularly care to know that it is/isn't blocked.
2. It lives on a host/domain that you might want _some_ content from.
...it provides better flexibilty.
As for hardware, my local webserver is a PII-233 box, serving pretty
much just me. DNS runs on it + a PPro 180MHz system, and Squid on a
P-200. Spread as much as it is pretty much 'coz I got the boxes.
At work, Squid and Dansguardian both live on a PIII-400 which typically
reports a load of 0.1-0.3 under heavy gaming load from the kids ;-)
Squid itself is reporting a 40% hit rate on cache by request and ~30% by
bytes.
Summary:
- General filtering: dansguardian.
- Specific trouble ISPs: iptables.
- Specific trouble domains: DNS & virthost.
- Specific sections of websites: squidguard.
You don't need all of each (I don't have a site set up w/ any of the
above fully), but this does speak to the strengths of various methods.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Information is not power after all: Old-fashioned power is power. If you
aren't big industry or government, you have very little power. Once they've
hacked the electronic voting system, you'll have no power at all.
- Robert X. Cringely
Attachment:
signature.asc
Description: Digital signature