I finally got it done. I installed Squid/DansGuardian on my Debian NAT box, and it appears to be working. I brough this up on the list a couple months ago and so I thought I'd report here how it went. Details regarding my satisfaction with the quality of the service are forthcoming.
Although I started the process with an empty hard disk several months ago, I've only had a few spare moments to work on it. The whole process (including the Debian install) took probably 3 hours, with all of the proxy/filter stuff being done in about 1 hour. I could redo the whole thing (including the Debian install) in about 1 hour I think. Right now, I'm not subscribed to the DansGuardian blacklist for $5/month, but I plan to. Here's a little recount of what I had to do to get it up and running: 1. Install Debian (testing branch) 2. Setup NAT (iptables: 4 lines) 3. Install Squid 4. Configure Squid (a little tricky) and setup transparent proxying 5. Install DansGuardian (almost no configuration necesary) Here's a breakdown of what the various components do: iptables: routes IP packets so you can masquerade (NAT) a connection for multiple client machines. This allows you to watch all traffic as it passes over your internet connection. Squid: A proxy server. Technically, all Squid does is cache web pages that are commonly requested. So, if I hit http://uug.byu.edu/, Squid will store a copy of that page so that next time I hit the site, Squid will serve it to me instead of going all the way to Phantom. Squid alone does not do any filtering of content, but you can use it to deny web access to/from certain computers. By default it blocks all web traffic (a little annoying). So I had to tell it to alllow traffic from my local subnet (192.168.2.*). DansGuardian: Talks to Squid every time a page is requested. Your web connections are actually redirected to DansGuardian and DG talks to Squid. I'm not sure why Squid even needs to be there, but all the docs I've read say that it does. I guess this is beceause DG is not actually a proxy server. DG reads all the text on the page and computes (among other things) a naughtiness factor. Based on your configuration, you can set a tolerance for that naughtieness factor. If it exceeds your tolerance, it serves up a "access denied" page explaining to the user what happened. You can, of course, configure whitelist and blacklist sites, but there is no need to subscribe to the blacklist service to get DG up and running. It's a pretty nice bonus I've heard, however. And that's pretty much it. I'm writing a formal HOWTO, cause I couldn't find a really good one that explained exactly what I wanted to do. In the mean time, if anyone wants to see config files, my iptables settings, etc, I'd be happy to post them. --Dave ____________________ BYU Unix Users Group http://uug.byu.edu/ ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
