Web Filter

[apeo]

Ok I have a question for all you nix gurus out there as Im a nix Newb. What Im looking into for the near future is a means to filter websites/content and I believe a nix server would do this best. Only thing is in kinda need an idiots guide on the following:
Distro - Which one should i go for?
- Whats the hardware requirement?

Smoothwall - Given the above, how do I install it?
- How do i configure it?
- How do i intergrate it into the network?

Dansguard - how do I install it?
- How do i configure it?
- How do i intergrate it into the network?

Ipcop - should i use this and if so then the above questions need answering...

I know its alot to ask but any help is appreciated. Oh and one more thing, if i wanted to add additional elements would it be a good idea to add them to the above nix server or create a new one?

[Geoff]

Ok. As I've mentioned before I need to get round to writing up one (or more!) wiki articles about this however basically what I have setup (in steps):

Ubtuntu LTS 6.06 (Dapper Drake) Minimal Server Install on a P4 Celeron 2.4Ghz with 1Gb of ram (a recycled desktop machine basically).

I've installed Squid and Samba (with winbind).
I've then added the machine as a member server to the domain (samba).
Enabled Username/Group lookups (winbind)
Got the machine working as a proxy via our LEA's proxy server (Squid)
Enabled NTLM authentication (Squid + Winbind)
Downloaded Dansguardian Alpha Version and compiled it (much installing of compile tools).
Done some configured Dansguardian so it goes through squid (for the NTLM auth).
Updated the blacklists + phraselists and told Dansguardian to use them.

Things I have outstanding:

Pay for blacklist updates (not really up to me) and get them autoupdating.
Sort out some reporting functionality.
Customise the block page.

Which of the above steps do you require more details on?

[djm968]

My first nix box was a proxy filter running squid and dansguardian on Fedora Core 2. The GUI means you don't have to get too bogged down in scipts and config files and Squid and Dans are both available as easy to install packages.

The thing was rock solid for two years, never fell over once. I think the school are still using it now.

[Teth]

I too am about to embark on this so will watch this thread and any wiki articles on it with intrest. At the moment I have soem breathing space because I've refused to have any live internet access in suites that I supervise at lunch and after school until the school has kids signing an AUP which I'm currently negotiating with SMT about.

The part I least understand and can find least information about is useage restriction in terms of an internet on/off switch. The head of IT here has resisted the arrival of the internet in the teaching suites because of the distraction it would cause for lessons, but the internet provission in the library/learning centre is just not adequate to meet demands. Its overly filtered by C2K the managed network provider here. So the solution I impliment needs to offer interent use before school, lunch, break and afterschool easy enough. The harder part is to allow it to be on and off on a per room basis for lessons. Idealy ina very simple way that teachers can do it themselves. A simple "click here to activate/ deavtiviate internet in this Suite" button.

I'm sure its something I can at the very least write scripts for and a basic application which runs those scripts from an idiot proof interface. Its just finding the time to do it.

[djm968]

Its really easy to do this..... tell them to go to the wall and hit the power switch on the router. Bingo.... no internet access.

[tom_newton]

Who'd have guessed i'd pop up in this thread, eh?

I'd suggest that for a system analagous to Geoff's there, but for people who don't have his time (or obvious considerable expertise!) SmoothWall's SchoolGuardian system is the way to go. You can build something similar from OpenSource components, but it isn't that easy, and you don't get a web gui!

It's based on Dansguardian, but it's not the same one as you download, as Dan himself is one of the SmoothWall directors, and we've spent a couple of years improving the thing!

I will disclaim this by adding that I work for SmoothWall, but even if I didn't i'd encourage you to look at the system.

Also, there's an EduGeek discount for members of this board, because we think it's great

Tom (tom@smoothwall.net)

[tom_newton]

@ Teth - time based rules are already in our product set - would be interested in how you'd like room-based rules implementing, by IP? MAC?

Drop me an email if you've any bright ideas on this one, always like to hear from those on the "front line"!

[plexer]

Censornet always had the ability to group machines and then disable web browser as you saw fit.

Schoolguardian integrates with active directory so you could presumably pull ou's containing computers out of there for your groups and then obtain the macs or ip from the machines to block?

Ben

[Teth]

In my thoughts on scripting this I was thinking MAC as I already have MAC lists or ideally by OU its gonna depend really on how much time I have to learn new things before this gets implimented

I'd love to buy a product for it too but I'm in a school that has no IT budget. I mean there is no allocation of money at all for the network. Equipment is bought in haphazard fashion by either departmental budgets or by capital spending at the end of a financial year. The capital spending is very irregular, money was spent this year on 60 new machines and 2 new servers but thats the first spend in 3 years (I've worked here 8 months). The IT departments budget is less than 10k a year and from it must come paper, Toner, incidentals like mice leads etc, textbooks and materials for ICT and computing classes. The budget has been dwindling year y year because we are due a new school under a PPP(public private partnership) system and as such our funding is being cut by the board and capital expenditure is fround upon.

Simply put an internet connection is needed to do the Clait+ exams this year which I can provide simply enough for that task. I'm trying to go that extra mile and provide it year round for classes but there is no money available only my time. So it will be open source or bust. Another time based project I have is getting the small 6thform computer room operational again on scrounged and spare hardware with no money. Thats most likely going to be an opensource project as well.


If changing a users filter group takes effect instantly maybe a "no access" group which they are removed from if they are in an internet class would be an answer. Again with copious scripting to idiot proof it.

[tom_newton]

Thanks guys - AD method sounds like a plan - will discuss with the devs. Unlike some folk, who copy the AD periodically (think censornet do this) we have a caching auth daemon which means changes are instant.

[webman]

You can build something similar from OpenSource components, but it isn't that easy, and you don't get a web gui!

Unless you make one yourself or mix dansguardian with ipcop?

[Geoff]

There's a webmin module for dansguardian too.

However personally, I'm more at home with the flat text files. It makes it more obvious as to what's going on.

[CyberNerd]

Unless you make one yourself or mix dansguardian with ipcop? Smile

Would take a lot of beating, smoothwall corp web interface is v.good

[NetworkGeezer]

However personally, I'm more at home with the flat text files. It makes it more obvious as to what's going on.

Spoken like a true geek

[Geoff]

Shh, or I'll grep you!