Comments on: How to use Squid as an easy web filter

by: Kavesa

Mon, 05 May 2008 19:04:31 +0000

Nice guide.
Question: is there a way or wildcard that I could use in order to enable in the whitelist all domains ending on something? Like all .gov domains?
Thanks

by: Ogdenous

Thu, 20 Mar 2008 18:17:27 +0000

If you want to force the proxy settings, assuming the use XP or Vista, just remove admin privileges from them, and log on as an admin and setup group policy to force proxy setting. it will gray out the setting for them to change.

by: smitty, jr

Sat, 12 Jan 2008 20:39:53 +0000

All you need to do is have your router block all outgoing traffic from everything except the proxy server.

Then the only way out is thru the proxy.

But is there a better solution than using a blacklist like http://squidguard.shalla.de/Downloads/shallalist.tar.gz ?

It easy my machine alive… :-(

by: Lou

Wed, 09 Jan 2008 03:06:03 +0000

Great article. I was looking for an example to utilze squid for a white list of sites. I will implement squid with a python script to update the config to allow non technical users to modify the white list.

Smitty ought to browse other sites if he does not care for the RH content. PErhaps we could have RH block him with SQUID even if it is ineffective. :)

by: Comment on How to use Squid as an easy web filter by Comment on …

Sat, 29 Sep 2007 22:52:44 +0000

[…] You can read the rest of this blog post by going to the original source, here […]

by: Comment on How to use Squid as an easy web filter by Henry Hertz …

Sat, 29 Sep 2007 11:58:05 +0000

[…] You can read the rest of this blog post by going to the original source, here […]

by: Henry Hertz Hobbit

Sat, 29 Sep 2007 07:40:30 +0000

You cannot do it with a chmod. They can still move the folder and create another one. What really needs to be done is the filter needs to be moved into an egress point (the Linksys router for a home situation). The sad thing is that people don’t understand that porn is three to five times riskier than the Internet at large. And like I just told somebody else, I have caught them stuffing garbage into the .mozilla folder on Linux (not just with porn sites). In other words the perps are moving their bad stuff into the Linux world. It is usually Java / JavaScript that is being abused. You need to make it something that is NOT on the machine being used and no matter what you do to that machine the filter remains active. Perhaps Snort running on a transparent firewall machine with locked box where it goes out to the Internet.

It looks like we got some really good thinking going. Just remember to pull what I have ASAP because I am out of money and out of time and haven’t worked for eleven years. If you want to know why contact me directly.

Thanks for the good ideas.

by: Guy

Thu, 20 Sep 2007 17:03:37 +0000

chasq

I think you are correct, and have explained some important features. To add to what you have already accomplished, it may be possible for you to configure your network to direct all HTTP requests through squid, and eliminate the manual proxy configuration. As a network administrator I come across some inventive people who endeavor to thwart any measure meant to keep them from doing things they are not allowed to do. One of the things you may need to do is track HTML access rather than HTTP access, which is called “Level 4″ or application layer filtering. I have not attempted to do this with open source products, but it should be possible. Alternatively you can use opensource software such as ngrep to “watch” for HTML that is not on TCP port 80, port 443 is much more difficult because it is encrypted. Some porn sites are designed to use alternative ports to enable people to access porn from work, where most systems only filter port 80. One way to find such sites is to examine the history and the bookmarks on the computer and look for a port designator such as “http://www.nastysite.cc:69/” wher the “:69″ is the port used to access the site instead of port 80.

I hope this helps some of you in your attempt to enforce the rules you have made aware to those you are restricting.

by: chasq

Wed, 19 Sep 2007 23:39:53 +0000

Great article about a topic near and dear to my heart. I have three sons, from 11 to 16 and believe me before I installed Squid, if you typed Ctrl-h in one of their browser sessions, your jaw would drop. That’s just from the names of these porn sites. So I installed Squid on my file server and configured their browsers to use it to connect to the Internet. They haven’t figured out that they can simply turn off the proxy.

Next, I bought a copy of ‘Squid, the Definitive Guide’ published by O’Reilly. You really shouldn’t deploy Squid with out this book. With this book you will learn how to set up filters, both time of day, workstation and URL’s. And you will learn that you can point Squid to separate text files containing blacklists or regex expressions that can filter out bad words in URLs.

What I have done is grepped through the Squid logs for file extensions like .jpg and .gif. The part of the name to the left of the dot will clue you in if this is a porn site or something more appropriate like models, sports or racing. Of course you need to grep for the bad words, too. It is very enlightning to discover how varied and clever these porn guys are. Then I add the new sites to my pornhosts text file and tell Squid to re-read its config file.

Sure, it is a pain to maintain your own blacklist. But when you show the contents to other parents, they instantly realize how big a problem this is. IMHO, Squid is one of he best Open Source success stories out there.

by: STOO

Wed, 19 Sep 2007 20:47:43 +0000