Re: parental control with squid and dansguardian
On Jul 6, 2007, at 2:33 PM, RW wrote: If this box is not the gateway, there is no point in doing anything about this because they can simply turn-off proxying and go direct to the internet. However, on your gateway you can specify that only the proxy box is allowed to connect to the web. That is block all outbound traffic to ports 80 and 443 unless they come from the machine running squid. -j -- Jeffrey Goldberghttp://www.goldmark.org/jeff/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
Jeffrey Goldberg wrote: On Jul 6, 2007, at 2:33 PM, RW wrote: If this box is not the gateway, there is no point in doing anything about this because they can simply turn-off proxying and go direct to the internet. However, on your gateway you can specify that only the proxy box is allowed to connect to the web. That is block all outbound traffic to ports 80 and 443 unless they come from the machine running squid. This is of course granted that the gateway has a strict firewall rule set that allows minimal, known destination ports and by default would block external, free proxies (and anything else) that run on unusual ports (eg: 50001) as someone else suggested. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
Zbigniew Szalbot wrote: hi, Thank you all for your comments re FreeBSD as a parental control and gateway server. I have both squid and dansguardian working and I am left with configuring them to optimize web browsing and the desired level of control. I do not yet have FreeBSD functioning as a real gateway as I will be able to do it at a later stage. However, there is one thing that leaves me wondering. In order to use the content filtering as provided by Dansguardian, I need to configure the browser to look for proxy on port 8080. Now, if someone just changes the port in their browser to 3128 (squid proxy port), then all content filtering will be bypassed. What do I need to do in order to avoid someone escaping the control? ACL in squid.conf is your magic word... Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
re: parental control with squid and dansguardian
Hello, Now, if someone just changes the port in their browser to 3128 (squid proxy port), then all content filtering will be bypassed. I have the same setup at home for my kids. Check the /etc/ipnat.conf file to redirect all web traffic to your FreeBSD_gateway_IP_address:8080 (assuming your FreeBSD box acts as a firewall/squid/gateway). Now, I am not sure one thing. ipnat.conf is an ipfilter conf file. I use pf. I was wondering - maybe I should use squid setup defining an acl that would banned connection to port 3128 in squid? I am not sure yet how to do it (all of this is totally new to me) but I guess it is probably quite simple. Then I should probably set squid in the transparent mode which would enable me to point browsers to auto-discover proxy settings? Again, I am not sure my thinking is correct. Thanks! -- Zbigniew Szalbot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
re: parental control with squid and dansguardian
Now, if someone just changes the port in their browser to 3128 (squid proxy port), then all content filtering will be bypassed. I have the same setup at home for my kids. Check the /etc/ipnat.conf file to redirect all web traffic to your FreeBSD_gateway_IP_address:8080 (assuming your FreeBSD box acts as a firewall/squid/gateway). Regards, Den ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
Zbigniew Szalbot wrote:
hi,
Thank you all for your comments re FreeBSD as a parental control and
gateway server. I have both squid and dansguardian working and I am left
with configuring them to optimize web browsing and the desired level of
control.
I do not yet have FreeBSD functioning as a real gateway as I will be able
to do it at a later stage. However, there is one thing that leaves me
wondering. In order to use the content filtering as provided by
Dansguardian, I need to configure the browser to look for proxy on port
8080. Now, if someone just changes the port in their browser to 3128 (squid
proxy port), then all content filtering will be bypassed.
What do I need to do in order to avoid someone escaping the control? I am
also wondering how I should bring pf into the picture? I haven't tried yet
as the box is behind a router firewall anyway but I would appreciate your
comments how to marry squid dansguardian with pf.
You can use pf's redirection to catch all outbound traffic destined for
port 80:
rdr on $int_if inet proto tcp from $internal_net to !me port www -
$proxy_host port $proxy_port
Define the macros appropriately in /etc/pf.conf and you're away.
me is a pf table that contains all the firewall machine's addresses:
table me persist { self }
Any packets originating from your internal network, bound for port 80 on
any host other than the firewall (you may need to fine tune this,
depending on your needs), are redirected to the designated host/port. No
need to set up per-client proxies as the firewall handles it transparently.
Make sure squid is built with SQUID_PF=1 (from make config). There are
some settings in squid.conf you may need to tweak - there's plenty of
documentation on their website.
Transparent proxying requires no client configuration, but it also means
that proxy authentication won't work, because as far as the client is
concerned, it is talking to an end server, not a proxy. If this is a
concern, then you can just set up your clients to explicitly look for
the proxy, and tighten up your firewall rules so that altering the proxy
settings might bypass the proxy/filter, but will also get any web
traffic blocked at the firewall. They'll soon go back to using the
supplied proxy settings!
I'm not sure about automatic proxy config, as I've never used it. It is
not, though, a type of transparent proxying, which is run entirely on
the firewall/proxy hosts, without any knowledge of it on the part of the
client.
HTH
Dan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
Hi Daniel,
On Fri, 06 Jul 2007 17:20:50 +0100, Daniel Bye [EMAIL PROTECTED]
wrote:
You can use pf's redirection to catch all outbound traffic destined for
port 80:
rdr on $int_if inet proto tcp from $internal_net to !me port www -
$proxy_host port $proxy_port
Define the macros appropriately in /etc/pf.conf and you're away.
me is a pf table that contains all the firewall machine's addresses:
table me persist { self }
Any packets originating from your internal network, bound for port 80 on
any host other than the firewall (you may need to fine tune this,
depending on your needs), are redirected to the designated host/port. No
need to set up per-client proxies as the firewall handles it
transparently.
Great! Thank you so much! Now this should really speed me up nd it is
perfect solution as no client configuration is needed and no escaping
possible! Thanks again!
I really appreciate such a helpful community as is here! Hard to find these
days. Thank you!
--
Zbigniew Szalbot
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
On Fri, 6 Jul 2007 13:20:07 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: I do not yet have FreeBSD functioning as a real gateway as I will be able to do it at a later stage. However, there is one thing that leaves me wondering. In order to use the content filtering as provided by Dansguardian, I need to configure the browser to look for proxy on port 8080. Now, if someone just changes the port in their browser to 3128 (squid proxy port), then all content filtering will be bypassed. If this box is not the gateway, there is no point in doing anything about this because they can simply turn-off proxying and go direct to the internet. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
On Fri, 6 Jul 2007 18:26:36 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: Great! Thank you so much! Now this should really speed me up nd it is perfect solution as no client configuration is needed and no escaping possible! Thanks again! Unless they reconfigure their browser to use one of the numerous free proxy servers. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
RW wrote: On Fri, 6 Jul 2007 18:26:36 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: Great! Thank you so much! Now this should really speed me up nd it is perfect solution as no client configuration is needed and no escaping possible! Thanks again! Unless they reconfigure their browser to use one of the numerous free proxy servers. The answer to that problem is quite easy: deny all direct access to the internet on your gateway. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
On Fri, 06 Jul 2007 21:47:43 +0200 Peter Boosten [EMAIL PROTECTED] wrote: RW wrote: On Fri, 6 Jul 2007 18:26:36 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: Great! Thank you so much! Now this should really speed me up nd it is perfect solution as no client configuration is needed and no escaping possible! Thanks again! Unless they reconfigure their browser to use one of the numerous free proxy servers. The answer to that problem is quite easy: deny all direct access to the internet on your gateway. In which case there isn't much point in transparent proxying because the browser will need to use the proxy for https and FTP. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
RW wrote: On Fri, 06 Jul 2007 21:47:43 +0200 Peter Boosten [EMAIL PROTECTED] wrote: RW wrote: On Fri, 6 Jul 2007 18:26:36 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: Great! Thank you so much! Now this should really speed me up nd it is perfect solution as no client configuration is needed and no escaping possible! Thanks again! Unless they reconfigure their browser to use one of the numerous free proxy servers. The answer to that problem is quite easy: deny all direct access to the internet on your gateway. In which case there isn't much point in transparent proxying because the browser will need to use the proxy for https and FTP. Correct. That said OP probably doesn't have to configure hundreds of home PCs, so no need for transparent proxying. Peter -- http://www.boosten.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: parental control with squid and dansguardian
RW wrote: On Fri, 6 Jul 2007 13:20:07 +0200 Zbigniew Szalbot [EMAIL PROTECTED] wrote: I do not yet have FreeBSD functioning as a real gateway as I will be able to do it at a later stage. However, there is one thing that leaves me wondering. In order to use the content filtering as provided by Dansguardian, I need to configure the browser to look for proxy on port 8080. Now, if someone just changes the port in their browser to 3128 (squid proxy port), then all content filtering will be bypassed. If this box is not the gateway, there is no point in doing anything about this because they can simply turn-off proxying and go direct to the internet. Not if the box is an inline bridge... Allow minimal Internet use, ftp, ssh, 587, 110 etc, then fwd 80, 443 to the internal proxy box and voila. Steve ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
