Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
HOWTO: A parent's guide to Linux Web filtering
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks
View previous topic :: View next topic  
Author Message
dem1an
n00b
n00b


Joined: 14 May 2002
Posts: 28

PostPosted: Fri Aug 25, 2006 10:33 pm    Post subject: Reply with quote

Is there a way to direct all the web traffic from my router with port forwading to my linux box and then have all the computers in the house point to my linux box, which then filters the content? I'm setting up a linux box for a server anyhow and this would be nice bonus.

thanks,
dem
Back to top
View user's profile Send private message
tecta
n00b
n00b


Joined: 03 Jun 2005
Posts: 20

PostPosted: Wed Sep 06, 2006 12:09 am    Post subject: Reply with quote

I honestly think if your box is running linux, you shouldn't worry about virusis, malware, etc... Also, web-filtering blocks your kids mind from knowledge. Most of the reasons kids are getting more into computers these days and more smarter with them is because their parents let them have full access to them. Anyways if they want to look at porn when no one is around (not at school of course) but let them... it's their personal business.
Back to top
View user's profile Send private message
batistuta
Veteran
Veteran


Joined: 29 Jul 2005
Posts: 1384
Location: Aachen

PostPosted: Wed Sep 06, 2006 9:54 am    Post subject: Reply with quote

You are assuming that everyone uses web filtering to forbid people from doing things. I use it to protect my parents from unintentionally downloading stuff they don't want. They use Windows, so malware+viruses are a problem. And NO, they won't switch to Linux. And they shouldn't. They are happy with Windows. For them, it is much better than Linux so let them be.
Back to top
View user's profile Send private message
winbots
n00b
n00b


Joined: 16 Sep 2006
Posts: 2

PostPosted: Sat Sep 16, 2006 11:27 pm    Post subject: Reply with quote

mdeininger wrote:
I'd like to point out that web content *filtering* is something you really shouldn't be doing as a *parent* -- ever!
Now, before you start flaming, hear me out!
As a parent, you will probably want to protect your child from something that you think to be inappropriate content. That's fine -- that's your job. It's your responsibility to do it. Your kids need to use the internet for all sorts of things -- from doing research for homework to chatting with friends. Since there's a lot of inappropriate content on the internet, you thus need to make sure they don't get there. The only way to really do this is *sitting next to your kids while they surf*. Automatic filtering software like Dansguardian will never work properly for two simple reasons:

a) The software is a very stupid bugger. It doesn't know what's appropriate, so it basically does word counting and some heuristics to figure out if content is appropriate (unless the content is marked with certain tags, which isn't very likely). Word counting will never really work properly. You get a lot of false positives -- you get a lot of false negatives. Right now I work at a state school as a systems administrator, and we do use dansguardian because some laws require us to make sure the kids are supervised while surfing and we can't afford to have 4 or more teachers in one computer room along with the classes to make sure they don't pull odd moves. As one of the network administrators, my job -- among other things -- is rereading the logfiles of Dansguardian and finding out if some of the kids are looking for porn or DIY bombing kit instructions. Now guess what 99.9% of the time gets stuck in the filter? Educational articles on biology and chemistry, sites that contain news articles on things like homosexual marriage laws, and the like. Once I even found hits on of our more liberal political parties' website, which was completely okay and appropriate! Is that the type of things you want to protect your kids from? I don't think so. You will likely try to protect them from badbad movies and picture galleries. I took the test, that doesn't work. You can't ban video files, and the filter isn't likely to detect picture galleries as bad unless they contain a lot of pornographic advertisements. Not that this would be of any use, since you mostly need a credit card to enter sites like that in the first place! Now, thinking of something like "webpagesthatsuck.com", I come to my other point...

b) ..., which is that your kids are likely smarter than you with computers and it's fairly easy to circumvent lousy protections like these. I know you really don't want to hear things like that, but I can tell you from experience that kids get very creative when it comes to trying to get somewhere they're not supposed to. When I was still going to grammar school, being a 13 year old smartypants, we were allowed to surf the net whenever we felt like it. There was one room with a handful of computers for us pupils and you could borrow the key whenever you had nothing to do and wanted to surf the net. At first, we had only some very cheap firewall, with everything except port 80 being locked so we couldn't chat on Jabber/IRC/ICQ/AIM/Yahoo/MSN/whatever. Well, that was unless you knew one of the many thousand public proxies to use that were on port 80, then it was easy to get around that... Then some teacher complained that he wasn't able to get material off an FTP server, and our computer guy decided to drop the firewall completely, leaving us with access to everything. Then another guy came along and wanted some sort of adult-material-filter, which meant everything was free, except for ports 80, 3128 and 8080 which all went to a local transparent proxy that checked the content, much like this one. Well, kids like me that had a computer at home didn't find it very difficult to just set up a proxy at home on some port like 8000 instead of 8080. Then you just use something like dyndns and add your home-router-thing as your local proxy, and once again you were able to surf everything without getting annoying "access denied"-pages. Then our teacher did something inherently stupid: he blocked access to every access to the outside world unless it went through the proxy. I noticed that because it ever so much annoyed me that I couldn't SSH home. But, guess what, the proxy allowed CONNECTs! You could do everything you wanted through the local proxy, like using SSH, if you just did some fancy routing/tunnelling (I wrote a Howto on something similar somewhere in this forum. you really only need one free port to do nat through an outside box and circumvent any type of filter inbetween).
Well, you might of course prevent your child from aquiring these skills with all the false positives going off at random (that Howto/technical document on networking might be on a server that uses adult advertisements to stay afloat after all... or just plain sites like the one I mentioned earlier that gets banned rather often because of words like "sucker"), but since I was able to do all this with 13, your child might as well be, and then you wouldn't even have a chance.

Now, if you also remember that most adult material -- like porn, or songs with badbad lyrics that were on CDs with a "parental advisory"-sticker -- aren't even gotten off the web (ugh, I hate that word, it sounds so wrong), but instead off networks like eDonkey, GNUtella, BitTorrent or good old Usenet and IRC -- maybe even via instant messenger services (I had a buddy on AIM that would always send me odd pictures every other day), and that you can almost always connect to services like that with a little bit of skill in networks and either a rented rootbox or some friend that's willing to run a proxy for you, then you will hopefully give up futile attempts like content filtering. The best they can do is annoy the kids if they got some smarts at all -- or *you*. Imagine you want to do research on the net and then get a completely legitimate site banned because the writer of the article doesn't share your idea of what's appropriate and what isn't and didn't mind "four-letter-words", or his webspace provider placed porn ads on the poor guy's site. You might even end up not being able to read your eMail via webmail because of spam mail with explicit subject lines being listed in your inbox overview!

*Don't do it*! Either only let your kids browse the web while you're sitting next to them or don't overprotect them from "inappropriate content". It's futile, really, unless your filter has it's own AI that really understands your goals!

(sorry for that long post, but sissy stuff like that really gets me started)

P.S.: still a good howto, honestly, and the bits on setting up a transparent proxy and the possiblity to make dansguardian check for virii on the fly along with squid being able to decrease your consumed bandwidth make it rather useful a thing to do, just don't be naive and use it to "protect" your kids.

Good points, however, the way my setup works is it shows a "blocked" page with a "go there anyway" link, then I go through the logs for denied pages, and ask questions if I find bad stuff in it. Also, I like it because personally I would rather not look at some of the junk on the internet. My setup also does virus scanning, so I like that too.
Back to top
View user's profile Send private message
Uppi
n00b
n00b


Joined: 06 Jan 2004
Posts: 17

PostPosted: Sat Sep 16, 2006 11:58 pm    Post subject: Reply with quote

dem1an wrote:
Is there a way to direct all the web traffic from my router with port forwading to my linux box and then have all the computers in the house point to my linux box, which then filters the content? I'm setting up a linux box for a server anyhow and this would be nice bonus.

thanks,
dem


Yes, if it is a LAN you can plug two ethernet cards into your linux box and give them IPs on different subnets. The router and one card are on one subnet and the other card is in one subnet with the other computers. Then you have to disable DHCP on the router, enable it on the linux box and configure the linux box to route the traffic between the subnets.

Anyone knowing enough about networking would be able to bypass this setup though. To prevent this you would have to physically seperate the subnets.

I don't know if there is a way with only one ethernet card and this won't work if the computers connect to the router by WLAN.
Back to top
View user's profile Send private message
Redeeman
l33t
l33t


Joined: 25 Sep 2003
Posts: 957
Location: Denmark

PostPosted: Wed Sep 27, 2006 5:58 am    Post subject: Reply with quote

generally i dont believe censoring and all sorts of similar things is the way to go.. just.. dont bother.
_________________
Sandberg Enterprises
Back to top
View user's profile Send private message
GreenPenInc
Tux's lil' helper
Tux's lil' helper


Joined: 26 Jan 2005
Posts: 122

PostPosted: Thu Dec 14, 2006 2:46 pm    Post subject: Reply with quote

This FAQ won't work with the new version of squid. Can somebody please help me figure out how to change the offending squid lines?

https://forums.gentoo.org/viewtopic-t-523553-highlight-.html
_________________
_-(GPI)-_
Back to top
View user's profile Send private message
fbcyborg
Advocate
Advocate


Joined: 16 Oct 2005
Posts: 3056
Location: ROMA

PostPosted: Tue May 05, 2009 7:45 am    Post subject: Reply with quote

Hello,

I'm trying to start squid with these three options:
Code:
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

But when squid try to start, I get the following:
Code:
2009/05/05 09:40:16| cache_cf.cc(346) squid.conf:884 unrecognized: 'httpd_accel_host'
2009/05/05 09:40:16| cache_cf.cc(346) squid.conf:885 unrecognized: 'httpd_accel_port'
2009/05/05 09:40:16| cache_cf.cc(346) squid.conf:886 unrecognized: 'httpd_accel_with_proxy'
2009/05/05 09:40:16| cache_cf.cc(346) squid.conf:887 unrecognized: 'httpd_accel_uses_host_header'   


EDIT
Something has changed:
accelerator mode cleaned up, using the design from the rproxy development branch
Quote:

* The httpd_accel_* directives is now gone, replaced by http(s)_port options and cache_peer based request forwarding.
* The http(s)_port options has a list of new options for controlling the type and mode of port created with respect to
o transparent proxying
o plain acceleration
o host header based acceleration
o normal proxying (default)

_________________
[HOWTO] Come criptare la /home usando cryptsetup e luks
[HOWTO] Abilitare il supporto al dom0 XEN su kernel 3.X
Help answer the unanswered
Back to top
View user's profile Send private message
iamboredr
n00b
n00b


Joined: 09 May 2009
Posts: 10

PostPosted: Sat May 09, 2009 7:09 pm    Post subject: Reply with quote

we have a squid cache to. same as that it really helps in maintaining lan stability and ethernet
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Documentation, Tips & Tricks All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum