Content Filtering with DansGuardian

Gary Thornock

BYU Unix User Group

Overview

• What is DansGuardian?
• Installation and Setup
• Basic Configuraton
• Blacklists
• Using DansGuardian as a transparent proxy
• But what about trust?
• Resources
• Q & A

What is DansGuardian?

• DansGuardian is a content-filtering web proxy
  • Can filter text and HTML using weighted phrase list
  • Can filter based on PICS rating
  • Can filter based on MIME types, file extensions, ...
  • Supports site and URL blacklists and whitelists
  • Supports user authentication, exceptions for specific computers, etc.
• Uses Squid or Oops for fetching pages

Installation and Setup

• Various installation methods available
  • *BSD ports tree
  • Gentoo ebuild
  • RPMs for Fedora, Suse, Mandrake
  • Debian packages
  • Source and binary tarballs
• Squid must be installed first.
  • No special configuration is strictly required.
  • You may want to configure Squid to allow access only from localhost:
    http_access allow localhost
http_access deny all

Basic Configuration

• Look at files in /usr/local/etc/dansguardian (/etc/dansguardian on some systems)
• Main configuration in dansguardian.conf
• Black/whitelist configuration, "naughtiness limit", etc. controlled from dansguardianf1.conf

Blacklists

• DansGuardian doesn't require blacklists (but it can use them)
• Subscription available if you buy SmoothGuardian or Corporate Guardian
• Available from URLBlacklist.com:
  • Download once for free, or
  • Subscriptions for a fee
• I used to use a blacklist, but since I replaced my antiquated Red Hat setup with FreeBSD and updated DansGuardian, I haven't used one, and I haven't noticed a difference. YMMV.

Using DansGuardian as a transparent proxy

• What is a transparent proxy and why would I want one?
  • A transparent proxy handles all outbound HTTP requests without any setup on the client machine.
  • This is done using firewall rules that redirect outbound HTTP requests to the proxy's port 8080
  • It makes administration easy: you don't have to adjust any settings in any client browsers. It Just Works.
  • Users can't disable or bypass the proxy.
  • Disadvantage: users can't bypass or disable the proxy, so HTTP requests will completely ignore the user's /etc/hosts file (although it will use the one on the proxy server).

Using DansGuardian as a transparent proxy (page 2)

• Some Squid setup is required:
  httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_single_host off
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Using DansGuardian as a transparent proxy (page 3)

• Finally, configure the firewall:
  • pf:
    # This code should appear immediately after any NAT rules
rdr on $int_if inet proto tcp from any to $external_net port 80 -> 127.0.0.1 port 8080
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
pass out quick on $ext_if inet proto tcp from any to any port 80 keep state

  • iptables:
    iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080
  • ipchains:
    $IPCHAINS -A input -p TCP -d 127.0.0.1/32 80 -j ACCEPT
$IPCHAINS -A input -p TCP -d $INTERNALIP/32 80 -j ACCEPT
$IPCHAINS -A input -p TCP -s $INTERNALNET -d $REMOTENET 80 -j REDIRECT 8080

But what about trust?

• But, I trust my [spouse|kids|employees|roommates|etc] Why do I need a filter at all?
• This is a question that comes up frequently both online and offline. Below is the answer I offered last year to one person on an online forum, when his parents wanted to install a filter. You'll probably want to develop your own answers.
  

  Trust is great, as far as it goes, but for my systems, I use a filter anyway just to prevent typo problems and similar accidental stuff. I do this for my own use, not for my daughter: she's barely two years old, she doesn't have any clue yet how to use a computer or why she'd want to :) So, it's not an issue of trust, it's just a matter of prevention.

  My recommendation: go ahead and use the filter, and keep trust as an entirely separate discussion.

Resources

• The DansGuardian Web Site
• URLBlacklist.com
• The DansGuardian Documentation Page
• Platform for Internet Content Selection (PICS)
• A Parent's Guide to Linux Web Filtering
• Slashdot discussion of the above article

Credits

• In addition to the resources mentioned before, credits are due:
• This presentation is composed entirely of HTML and CSS, based on Eric Meyer's S5 presentation system: http://www.meyerweb.com/eric/tools/s5/