Dansguardian setup

From MEPIS Documentation Wiki

Jump to: navigation, search

Contents

Installing and Configuring Dansguardian



NOTE: This method works in MEPIS 8.0 and 8.5 but not in prior versions.



Dansguardian is an open-source enterprise-class content filtering application. You can read more about it at dansguardian.org. Dansguardian is provided free for personal or non-profit use.

In addition to filtering web content, Dansguardian scans downloaded content with Clamav and logs all http requests, making it a valuable security tool.

Overview

Dansguardian is not a complete standalone application like "NetNanny" or similar. It is simply the filter part of a content filtering system. To set up a working system we also need two other things:

  • A proxy service to transport internet traffic to the filter
  • Some means to make sure web traffic goes to the proxy

For the first part, we are going to install the "tinyproxy" package. It is, as the name suggests, a very small, lightweight proxy service ideal for handling the traffic of a single workstation.

For the second part, we could simple use the "honor system" and set our browser manually to use the proxy. More than likely, though, you'd rather have this set up to be (a) transparent, and (b) impossible to get around without root access. For this, we'll use a firewall application called "firehol".

Step-by-step

Install

Install the following packages using the method of your choice:
dansguardian tinyproxy firehol

Configure Dansguardian

  • As root, open /etc/dansguardian/dansguardian.conf
  • Locate the line that says "UNCONFIGURED"
  • Comment it out by appending a "#" to the beginning of the line.
  • Save the file and exit

Configure tinyproxy

  • As root, open /etc/tinyproxy/tinyproxy.conf
  • Edit the line that reads "Port 8888". Change it to read:
    Port 3128
  • Save the file and exit

Configure firehol

  • As root, open /etc/firehol/firehol.conf
  • Edit the file so that it reads as follows after the initial comment block (just copy and paste this bit, if you want):
version 5
iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP
transparent_squid 8080 "nobody root"
interface any world
       policy drop
       protection strong
       client all accept
  • Save and exit the file
  • Open (again, as root), /etc/default/firehol.
  • Change the first line to read:
    START_FIREHOL=YES
  • Save and exit the file

Finish

  • Make sure all services are set to start on boot
    • As root, browse to /etc/rc5.d
    • Make sure dansguardian is set to start on boot
mv K50dansguardian S50dansguardian
  • restart all three services, as root (order is important):
/etc/init.d/firehol restart
/etc/init.d/tinyproxy restart
/etc/init.d/dansguardian restart

You should now have basic filtered internet. To test this, browse a few webpages, then check the log by typing as regular user:

cat /var/log/dansguardian/access.log  
You should see entries similar to this:
2007.9.2 21:04:46 - 192.168.2.102 http://dansguardian.org/ *EXCEPTION* Exception site match. GET 2683
2007.9.2 21:04:48 - 192.168.2.102 http://www.mepis.org/ *SCANNED*  GET 0
This indicates that dansguardian is indeed checking your pages.

Notes and Caveats

  • The default configuration for Dansguardian is quite restrictive, as it is designed for young children. It can be tweaked very extensively, however. The /etc/dansguardian/dansguardian.conf file is fairly self-explanatory, and you should be able to make most of the adjustments you need by looking through it and changing the values it suggests.
  • firehol is a firewall. It may cause problems with guarddog or other firewall programs (conflicting settings, etc). The configuration posted above will block anything coming in, so if you need services like samba or ssh open, consult the man page for the firehol.conf file (man firehol.conf). There is no GUI for firehol, but it has a very simple syntax.
  • To temporarily disable content filtering, shutdown the firehol service (as root):
    /etc/init.d/firehol stop
    If you shutdown tinyproxy or dansguardian without shutting down firehol, you will likely lose your internet connection.

Links

Personal tools
In other languages