Ask Slashdot: How To Best Setup a School Internet Filter?

An anonymous reader writes "I was recently volunteered to be the network/computer admin for a small non-profit school. One of the items asked of me had to do with filtering inappropriate content (i.e. stuff you wouldn't want your mother to see). Essentially we want to protect people who aren't able to protect themselves, at least while on campus. Basic site filtering is fairly easy — setup squid with one of the many filtering engines and click to filter the categories your interested. Additionally, making the computer lab highly visible uses public shame and humiliation to limit additional activity. The real question — How do you filter Facebook? There is a lot of great content and features on Facebook, and its a great way to stay in contact with friends, but there is also a potentially dark side. Along with inappropriate content, there is a tendency to share more information than should be shared, and not everyone follows proper security and privacy guidelines. What's the best way to setup campus-wide security/privacy policies for Facebook?"

Re:opendns

OpenDNS is a huge scam - right up there with all the other Bait & Switch slime.

It used to be free, our public library used them to filter porn so that they met the basic filtering requirements in order to get Federal grant money.

Then OpenDNS said no more free filtering - all right, everyone needs to make a buck or two right?

So how much for 50 workstations - $1250/year (and that's with a non-profit discount) - for DNS service.

Yeah, going from free to outrageous isn't exactly a viable business plan.

DynDNS offers pretty much the same thing (i.e. category filtering) for $20/year - guess which plan the Library went with?

How old are these kids?

[dacut]

If they're under 13 (elementary and middle school age range), they're not allowed to access Facebook due to their terms of service and (in the US, at least) COPPA.

From Facebook's terms of service:
You will not use Facebook if you are under 13.

This is due to the Children's Online Privacy Protection Act, which requires verified parental consent before children can provide information to the website. While this does not impact you directly (that is, the FTC isn't going to knock on your door), you could get some heat from parents or administrators for allowing it at all.

Personally, I think the law is too draconian, but I wouldn't put my position in jeopardy to protest it.

PfSense + DansGardian + OpenDNS + Unbound DNS

Use PFsense with Squid Proxy WAN object caching and DansGuardian (with the paid list updates) and on top of that, OpenDNS filtering.

OpenDNS will help with malware prevention and botnet computers.

Use Unbound forwarding to pull OpenDNS but also locally cache DNS entries for faster response times.

Block DNS port 53 from exiting the WAN from anything but the pfsense proxy to prevent circumvention of your local proxy.

Re:can't partially-filter Facebook

[Nonesuch]

Actually, many of the more complex commercial firewall products CAN partially filter facebook. For example, you can permit reading but block posting updates, or permit access to most pages but block Farmville and all streaming media from fbcdn.' I've always thought the easy way to cut down on problems with this sort of Internet access was to permit Content-type: text/* but block all images, audio, and video. Basically, let them read Playboy for the articles!

Re:Don't

[houghi]

You could add them automatically, as long as a teacher asks for it (and is verified that it was a teacher).
Let them know that it will be logged and verified later.
They will control themselves better then you can, as long as you do the follow up and explain why things are removed.

Obviously this should not be your only line of defense. When I look at openDNS, it says that 1 in 3 schools are already using it. and they have something like http://www.opendns.com/business-solutions/k-12-education-old as well as free solutions.