Slashdot Mirror

Make subnet the schools machines on unroutable. Setup a squid http://www.squid-cache./ proxy and use http://www.squidguard.org/ http://www.squid-cache.org/. Point all machines at the squid cache. It is how my friend got threw teen years with his kids. The easier approach: K9 Web Protection - Free Internet Filter and Parental Control ... www.k9webprotection.com/ is another interesting choice. Still a lot of arguments are correct, sometimes it isn't worth trying to sanitize things, better to try to learn about them.

SquidGuard

It's what I use at home for my kids. No, it's not perfect, but along with some good URL re-write rules, you can't get to any porn unless you REALLY try.

If the OP is using a linux router/gateway machine, why not use something as simple as squid-guard?
http://www.squidguard.org/
http://www.squid-cache.org/
Blacklists here: http://www.shallalist.de/
It allows for customization (trusted/untrusted) and seems to be very effective. Good luck!

Anyways, I just think if you are for censorship you should be helping people make a "better mousetrap" so what is deemed valid material isn't getting blocked.

I agree if, and only if, they will implement it within their own homes, not on the public "series of tubes." [Ted Stevens, convicted felon and current candidate for US Senate from Alaska] Anybody who is not really concerned enough about what your children can access to take care of it yourself, get the hell out of my way. 333MHz is enough to run a filtering proxy server for anybody's home. Nothing is preventing you from protecting your own children from the Internet, but your own damned sloth.

I am not saying this information should be banned. I just think that the information shouldn't be so accesible that a 8 year old can just click a link and see the best way to bomb something.

Parents are responsible for limiting their 8-year-olds' access. That's not my responsibility until I have an 8-year-old of my own. And to the complaint that kids should be able to benefit from the educational potential of the Internet, without danger of being exposed to objectionable material, that is possible, too. You just need to learn how to use something like this on computers you own. It's not my duty to do it for you. It's your responsibility to look after the children you claim as tax deductions.

As everyone has pointed out, there is nothing you can do on a machine which the child has physical access to to do what is requested.

But a separate firewall and proxy that can be locked away can do the job. If the DSL modem (or whatever) and a firewall and proxy server (say smoothwall running on old hardware) are in a room that can be locked then you can force all port 80 traffic to go through a proxy that uses something like SquidGuard). You can also have a default deny policy for outbound traffic so that you select what sorts of services are available.

Of course a determined teenager will learn about third party proxies (the same kinds of things people set up to assist those getting around the Great Firewall of China). But, of course, one can log the web traffic to try to detect these and end up playing whack-a-mole.

As for the rightness of doing this sort of thing, I don't find it so clear cut. My daughter is turning nine tomorrow. We've already told her more than she really wanted to know about how babies are made (she did ask). And she knows in principle about contraceptives (she asked about a particular scene in Grease), but we've got a few years before she'll need practical instructions. She is still in the "yuck" phase, but things will change.

I'm not really concerned about anything she might see or read out there now or later. But my concern is about who she interacts with. On the Internet nobody knows your a dog, and so really what I'm concerned about is getting her to follow a "don't meet or give too much information to someone without me or my wife checking it out first" rule. I think that that is a kind of rule that is easily to break once you no longer think of some on-line persona as a friend. Does this mean that I'll be snooping in on her chats and email? I hate the idea of doing that, but I'm not ruling it out either.

I work at a high school. For our internet everything goes through DansGuardian (transparently, and all other ports are blocked). For blacklists I use URL Blacklist (Commercial, but inexpensive) and Shalla's Blacklists (free for non-commercial use). Shalla's Blacklist occasionally overblocks, but if you submit the error to the feedback form it's fixed by the next day.

DansGuardian's content analysis tends to be fairly accurate. The blacklists are there for stuff it doesn't catch or for specific sites we need to block (ie, MySpace).

One thing I love about this is the software is GPL'd and the blacklists are human readable text files. Both lists respond to feedback very quickly. Plus, you have the power of Squid to control every possible detail. I can allow/block certain sites/categories based user, network, computer, day, time, or any combination of those.

I know the accuracy because I read the reports from Lire (log reporter) every morning.

That is in my opinion the most important flaw within the OSS community, the thing in which many commercial approaches excell but that is something most people don't wish to hear because "commercial = bad". It would help to keep an open mind and look and learn before you judge, but I guess that is also something not many people of us are capable of.

I can't help wonder how long this comedy has to continue before people will finally realize that some things are best adopted instead of mocked. In my opinion this kernel incident is no different. "Homeostasis and Transisstasis". One is the power for change while the other is the power for maintaining the same. Unrelated psycho mumbo jumbo I hear you think? Well, what about that marvelous piece of work (you probably won't find a distro without it) the BerkelyDB ? Its almost as if every released version is incompatible with the previous one. If you don't believe me try installing SquidGuard with the current BerkeleyDB. Or simply stop and wonder why your distribution keeps several versions of the same product around.

This is but a single program, now what about some strict standards? SuSE tried to introduce some standard with regards to administration (Yast being in control; changes should be done through yast all the time, even overruling manual changes) making it possibly a very solid basis for your average workstation. Like being able to administrate and roll out standards through the use of AD. Or what about Java? The so called "free java" is also breaking standards. Ofcourse these free tools were needed because you can't distribute Java. Really, is that so? When I look at the license all I see is that they don't allow you to ship additional software which will replaces parts of the environment. So distributing JRE and kaffe wouldn't be allowed. But what is the use of kaffe if you have the original?

And now the same issue is manifistating itself in the kernel development itself. Change after change and no one seems to care about setting certain standards. Even the well appreciated previous standard on seperation between stable and unstable has been thrown in the bucket for no other reason than "we don't feel like it anymore". And this is exactly the thing which makes OSS unreliable in the eyes of many.

I'm not condemning this perse since it is but a hobby (although people sure don't like to profile it this way anymore) but I do think people should realize this before they start barking up other people's legs for trying to maintain certain standards, enforced if need to. "Everything should be free?", maybe that is a noble cause but throwing smoothly working things in the pools of chaos and cheering that it is now free while the product itself as it once was is utterly destroyed isn't always the best way.

So in the case of the kernel development I'd say setup some (new?) standards and this time STICK with them instead of dropping whatever you build simply because you don't feel like it anymore. Only then will you last a whole lot longer and will it even survive when Linus stops caring about all this. But in any other situation I foresee Linux exploding (splintering into many factions and ideas) due to several people trying to oppose several "standards" because they simply "don't feeel like it".

squidGuard was doing that years ago (2001). Great reason to use a local proxy.

This is not a perfect solution for your needs, but it's not too far off. squidguard offers time based allowances (only surf the web from 5pm to 7pm nightly). The way to implement it is to put squid with squidguard on the proxy/firewall. Force all traffic through the firewall, and block all ports traversin the firewall (force them through the proxy). Setup squid to force authentication, with the appropriate timings and allowances in squidguard for each account. I do something similar at home for my children, but instead I only allow them a whitelist of sites to access (Disney, Nickelodeon, etc.). Works very well. There are *very* few ways around it, and when my kids get smart enough to tunnel out, I'll just use more l337 solutions :-)

rew slashdot {
s@it.slashdot.org@slashdot.org@
log slashdot.log
}

rew slashdot {
s@it.slashdot.org@slashdot.org@
}

After getting our email protected with Postfix+Amavisd-new+Clamav+SpamAssassin+F-prot I asked myself: is it possible to get same quality protection for the web-surfing?

And the answer is Yes! It is possible. Now I am using Squid along with Dansguardian and Squidguard. Working together they are catching 99% of all adware/spyware malicious scriptlets. Also they remove annoying banners and give us the required level of the parent control.

Dansguardian integrates with PICS, Platform for Internet Content Selection, which was originally designed to help parents and teachers control what children access on the Internet, but it also facilitates other uses for labels, including code signing and privacy. The PICS platform is one on which other rating services and filtering software have been built.

Unfortunately Squidguard is getting out of its suppot by its original developers. It's getting more and more false-negatives (up-to 30% was complained on getntoo forums), but it's still better to have it.

Now I am bringing same protection to the company network at work and they are happy of that.

My point is to protect your network rather than individual computers. Windows based PC are unsecure per se. Besides it is a hassle to go to each PC and install different types of filtering software (especially when you have to support 3 or more different client OSes, like win98, win2k and MacOS).

So that is easy to fix by adding an item to my SquidGuard http://www.squidguard.org/ database.

I'd never consider 802.11a at this point, the marketshare is all in 802.11b.

So, the next question is, should you go 802.11g (~54mbit), which is backward compatible with 802.11b?

How fast is your internet access going to be? Is it even going to be faster than 802.11b will provide (11mbit)? If users want to do laptop to laptop transfers, they should just use a crossover ethernet cable (100mbit). Hint: Most ADSL is 384kbit and will let you grab ~1mbit when things aren't busy at the ISP. 1mbit is "fast" for most folks.

IHMO, the owner should just see is as a way to increase his customer base for his existing revenue model, and have a cool thing to do when things are slow (but need to keep the other employees in check if things aren't getting done and he's not there all the time).

Futher, I'd suggest a caching engine like Squid, which can help with content filtering as well (say for employees, make them login before they can surf so you can track their time, etc.). Squidguard is my filter preference for filtering and there are many free content DBs online.

I'd be filtering porn sites, probably gambling, probably hate sites, etc., as I'd not want one customer offending another with graphic images. Of course, you could say MYOB and tell the guy to sit where no one can see his laptop, whatever...

NoCat is a good authentication model as well just so you can track folks in case something illegal is taking place.

Geez, nobody mentioned squidGuard yet?

Using Squid Proxy with squidGuard one can simply re-write MSN searchs and direct them to Google... Saves changing the default IE homepage and installing the google search bar as well:

rew srch-engines {
s@http://search.msn.com@http://www.google.com@ir
s@http://www.msn.com@http://news.google.com@iR
s@http://msn.com@http://news.google.com@iR
}

It's rather slick, if you ask me.

God Bless SquidGuard.

In order to comply with CIPA, we were forced to begin filtering internet access at our schools or risk loosing funding. We chose squidGuard due to its ease of configuration, transparent-ness and cost (free).

why not create an open-source filter for libraries to use?

You mean like SquidGuard?, with it's associated blacklist?

SquidGuard is a filter that works with squid. It has a list of approximately 100,000 entries in their list of blacklisted pornographic sites. They make it easy for an administrator to unblock a site.

While we may disagree with the idea, as a person who is looking to become a parent in the next couple of years, this is a good idea. Have you seen kids on the Internet? They are very gullible, being brought up in the age of computers. They truely believe that they know all there is about computers and the adults have no idea how to use technology. They click on a ton of pop-ups, especially the ones that try to trick the user (You've got e-mail).

If you don't like it, don't go there, but let parents choose what forms of protection for their kids. (And here I am dreading the day I'm going to have to install Squid and SquidGuard on my home network).

I have admin'ed several websense boxes (as well as multiple other proxies.) I am a network/security consultant, and the first point I make to any of my customers who want to use an internet control mechanism (i.e. filtering proxy) is that anyone sufficiently determined will get around it--don't try to solve non-technical problems with technology.

In short, websense makes managers feel good, but it does not work. It doesn't work for SSH port forwarders, it'll work even less once distributed proxy avoidance toys like Triangle Boy gain widespread use, and it'll completely break down once .NET and friends get spinning (read the part where proxy avoidance is explicitly mentioned in .NET docs.)

At this point, I should probably mention that almost all filtering software works very similarly, that is, it draws from combinations of blacklists meticulously compiled by cat-eyed librarian types trolling for smut, keyword lists, file extensions and content signatures (breaks down with encrypted files, unless you just want to block everything you don't recognize) and sometimes some sort of gymcrackery involving content pattern matching (such as the company claiming to be able to detect porn pictures from the amount of flesh.) The latter rarely work correctly.

That said, you're just as well off using something free, like DansGuardian or SquidGuard with one of the myriad of free filter lists they link to--assuming you can give your management the same feelgood effect from something free or cheap that they'd normally get from forking out $30k upwards to a company like WebSense.

By the way, did I mention that there is no IDS product which can consistently and reliably detect HTTPS-tunneled SSH traffic based on packet (or even stream) signatures?

In short, your idea for blocking webmail sites works, as long as your only goal is to prevent the casual user from getting at viruses and other Bad Things (tm) by means other than the corporate sanctioned means, like your local Exchange server. Good Luck! :-)

The SquidGuard Blacklist
I hope this helps. This seems like the closest thing to a free version of those proprietary services you speak of.

Squid should be installed by default on any decent distro.

Using this system also greatly speeds up my web access as I am no longer pulling tons of ads everyday.

Squidguard comes with a blockfile for porn sites. I don't know how comprehensive it is, but it will probably satisfy the law and be restrictive than blocking all .com, .org, and .net domains.

I have recently configured such a web-filtering beast at a private middle school that requires web filtering for students. I am VERY happy with the speed of Squid and the configurability of SquidGuard.

FYI, I simply created two lists "adult" and "student", and configured SquidGuard to pass ALL adult user requests on through unchecked, but check for and block 'bad stuff' when a student is making an attempt.

Client is happy, I am happy (and paid). Chalk another one up for censorship!

Kidding aside, this is a middle school and the children's Internet/computer access is monitored by staff/faculty members as well. Squid & SquidGuard are an added assitance. YMMV

However in my opinion it would be difficult to pick out those handful of useful .com, .net, and .org domains. Cuz there are many more than just a handful. However you can use the available blacklist database available from squidguard's site to do the blocking.

Take look at this project:

www.squidguard.org/

I will have to be honest and say that I have yet to implemt this, but geeze, a small amount of Googling can save much turmoil...

It already exists, it's called SquidGuard, and it runs as a redirector on Squid. We use it mostly for logging, and locking down of systems during "non internet use" lab time. We have had issues with 3rd graders going to hard porn sites (one school we installed a linux based lab for), and with 5th graders at another school going to inaproprate sites. The school with the 5th graders was already going through the district's websense proxy. We now have squidguard in front of websense, for logging purposes. Yes, I know I am posting as an AC... If you want to contact me, my name is Harry McGregor, and our website is The Open Source Education Foundation My email address is on the site.

If you want open-source censorware, there is squidGuard, a redirector for the Squid proxy server. It provides a great deal of flexibility as to who's allowed access to what, and when.

There are already several white-listing methods. Cyber patrol has the commercial version, or if you prefer OSS, squidGuard has a good mechanism for white-listing.

The best way is not to do filters in the first place. Some people may not get it, but is it really appropiate to be searching for porn in a public place? What about hate speach? Well, you do have a right to free speach, but you generally need to obtain a permit to hold a public protest. So by that reasoning the governemant should be allowed to block that stuff from government funded public terminals. Some belieifs are motivated through religion, and thus the government should just not get involved. For government the whole issue is a no win situation. The filtering software isn't good enough, and any soultion is outragously expensive to maintain. squidGaurd and squidBlock have potential, as the community at large can update the blocked and unblocked site lists. I belive they only filter the URL, not the actual page content.

If you're going to implement a filtering system, here's my gereral suggestion: train the libiary staff on how to add sites to the allow list. (Make a nice web interface for squid or something.) Whenever the users hits a site that was blocked, a page explaining the procedure will be displayed. They will then either fill out the request form or go to the libiary staff. The libiary staff will review the site and use their own judgment on the spot.

At the end of a given time period, the modifications to the list will be reviewed by a board of voulenteers. Sites can again be added or removed. After the meeting, the results will be posted for public review. At any time a voting user can go to the public libiary and request access to every site on the list, and give their vote on any listed site. These public votes will again be reviewd.

And so the process continues, each filtering site shares it's list and every voter has a a say. In time you have a system that has a large database of blocked sites. If the centeral government wants to maintain the centeral database, fine as long as long as the end user can override that instantly.

This is by no means a complete system, just me musing on what the heck I would implement a public filtering system. I should write my congressman. Maybe I can get a grant or something!

SquidGuard is quicker, and has many features not present in Junkbuster. Take a look.

Easy choice....ditch AOL, use Squid and SquidGuard to filter whatever in the hell you don't want displayed.

Check out www.squidGuard.org for what is likely the closest thing to an open source filter project. It runs as a redirector plugin for Squid proxy server.

I checked it out one day, to use as a JunkBuster on steroids. I'm really impressed with it. You can craft categories (such as porn, banner adds, tracking sites like doubleclick) and determine who they affect by source machine, destination machine, and even by the time of day. If you're really clever with regular expressions you can do a really good job with it. It has the same failings as any other block-list based filter, but it's open for all to contribute. The site even has a canned set of lists. You can even "anonymize" the logs, so as to only see that there is a problem, and not that it's Bob in Accounting.

Mind you, I don't like censoring -- even at the workplace. However, I will concede that I may be asked someday to set up such a system. And given the recent "scandals" with the commecial filter vendors, I could only recommend this solution. Besides... it's open source! :-)

SquidGuard is an improvement over using Squid+Junkbuster, and is said not to suffer from some of the compatibility problems Junkbuster has (Hotmail, ...). If you're curious, take a look.

Perhaps the ideal choice if site blocking is your primary concern is Squid Guard with the freely available block list available from the Squid Guard site.

http://www.squidguard.org

Squid Guard is a redirector that works with Squid to provide a wide array of blocking and access control features. Pretty much anything you can envision doing (short of filtering the actual content) can be done with Squid and Squid Guard.

You provide it with a list of regular expressions or distinct URL's and it will block them according to rules you provide (i.e. executives have unlimited access, employess have no porn or games access, janitors only have acces to intranet sites, etc.).

Squid alone can provide URL based blocking and it works quite well. It's the method we recommend for most of our clients who need blocking simply because it's so easy. It's already built in, and you can download a pretty good blocklist called SquidBlock from here:

http://www.hklc.com/squidblock/

It's a little rough and the list requires a little hand tuning to make it really effective, but generally just plugs right in using the directions provided on the site.

Another option is Squirm, which is another redirector. I don't have any direct experience with it, but I assume it works pretty similar to Squid Guard above.

http://www.senet.com.au/squirm/

Any one of these should do the job. If it's the most important part of your proxies job, go the extra mile and install Squid Guard and hand tune the black list (or better still create a second user defined list, so you can install new downloaded blacklists periodically). It will do the job admirably.

If it's just a matter of being able to say to management, "Yes, we've got porn blocking in place...it works pretty well, and we're logging all accesses anyway...blah, blah, blah" you could use Squid alone with the SquidBlock list and keep an eye on your logs. This requires you to inform your users they may be watched though. But generally, we've found that a policy that clearly states the permissable uses (and the promise of log analysis) works better in most environments than blocking. Block lists just can't keep up with the number of porn sites. And it tends to keep the internet use more strictly focused on work rather than seeing what sites can be found that aren't yet blocked.

I guess I should point out that even if you use the better method (Squid Guard) and find it satisfactory, you will still need to monitor logs (although you can do so without caring about who is accessing what) to find any new sites that are being accessed that aren't yet blocked. Babysitting internet access is a pretty big job. You should do what you can to prevent users from even trying to circumvent the blocking to minimize you own labor.

Hope this helps. I'm available for questioning on this stuff (it's my job, so I know my way around Squid pretty good).

www.squidguard.org

There's a much better way to block banner ads than at the browser level. Simply use Squid Proxy Server and the GNU filtering package squidGuard. That way there's no possibility of the damn SPAMMERS to get to your desktop.

Instead I now use squidGuard , a plug-in for squid which blocks or allows URLs based on domain names, domain names with paths, or a small number of regular expressions. Email me if you want a copy of my PLAIN TEXT site lists.