Content Filtering with DansGuardian
BYU Unix User Group
- What is DansGuardian?
- Installation and Setup
- Basic Configuraton
- Using DansGuardian as a transparent proxy
- But what about trust?
- Q & A
What is DansGuardian?
- DansGuardian is a content-filtering web proxy
- Can filter text and HTML using weighted phrase list
- Can filter based on PICS rating
- Can filter based on MIME types, file extensions, ...
- Supports site and URL blacklists and whitelists
- Supports user authentication, exceptions for specific computers, etc.
- Uses Squid or Oops for fetching pages
Installation and Setup
- Various installation methods available
- *BSD ports tree
- Gentoo ebuild
- RPMs for Fedora, Suse, Mandrake
- Debian packages
- Source and binary tarballs
- Squid must be installed first.
- No special configuration is strictly required.
- You may want to configure Squid to allow access only from localhost:
http_access allow localhost
http_access deny all
- Look at files in /usr/local/etc/dansguardian (/etc/dansguardian on some systems)
- Main configuration in dansguardian.conf
- Black/whitelist configuration, "naughtiness limit", etc. controlled from dansguardianf1.conf
- DansGuardian doesn't require blacklists (but it can use them)
- Subscription available if you buy SmoothGuardian or Corporate Guardian
- Available from URLBlacklist.com:
- Download once for free, or
- Subscriptions for a fee
- I used to use a blacklist, but since I replaced my antiquated Red Hat setup with FreeBSD and updated DansGuardian, I haven't used one, and I haven't noticed a difference. YMMV.
Using DansGuardian as a transparent proxy
- What is a transparent proxy and why would I want one?
- A transparent proxy handles all outbound HTTP requests without any setup on the client machine.
- This is done using firewall rules that redirect outbound HTTP requests to the proxy's port 8080
- It makes administration easy: you don't have to adjust any settings in any client browsers. It Just Works.
- Users can't disable or bypass the proxy.
- Disadvantage: users can't bypass or disable the proxy, so HTTP requests will completely ignore the user's /etc/hosts file (although it will use the one on the proxy server).
Using DansGuardian as a transparent proxy (page 2)
- Some Squid setup is required:
Using DansGuardian as a transparent proxy (page 3)
- Finally, configure the firewall:
# This code should appear immediately after any NAT rules
rdr on $int_if inet proto tcp from any to $external_net port 80 -> 127.0.0.1 port 8080
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 keep state
pass out quick on $ext_if inet proto tcp from any to any port 80 keep state
iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j REDIRECT --to-port 8080
$IPCHAINS -A input -p TCP -d 127.0.0.1/32 80 -j ACCEPT
$IPCHAINS -A input -p TCP -d $INTERNALIP/32 80 -j ACCEPT
$IPCHAINS -A input -p TCP -s $INTERNALNET -d $REMOTENET 80 -j REDIRECT 8080
But what about trust?
- But, I trust my [spouse|kids|employees|roommates|etc] Why do I need a filter at all?
- This is a question that comes up frequently both online and offline. Below
is the answer I offered last year to one person on an online forum, when his
parents wanted to install a filter. You'll probably want to develop your own
Trust is great, as far as it goes, but for my systems, I use a filter
anyway just to prevent typo problems and similar accidental stuff. I
do this for my own use, not for my daughter: she's barely two years
old, she doesn't have any clue yet how to use a computer or why she'd
want to :) So, it's not an issue of trust, it's just a matter of
My recommendation: go ahead and use the filter, and keep trust as an
entirely separate discussion.
- URLS for the above listed online resources:
- The DansGuardian Web Site: http://www.dansguardian.org/
- URLBlacklist.com: http://www.urlblacklist.com/
- The DansGuardian Documentation Page: http://http://dansguardian.org/?page=documentation
- Platform for Internet Content Selection (PICS): http://www.w3.org/PICS/
- A Parent's Guide to Linux Web Filtering: http://www.linux.com/article.pl?sid=04/07/01/1833212
- Slashdot discussion of the above article: http://yro.slashdot.org/yro/04/07/01/1548255.shtml
- In addition to the resources mentioned before, credits are due:
- This presentation is composed entirely of HTML and CSS, based on Eric Meyer's S5 presentation system: http://www.meyerweb.com/eric/tools/s5/