block specific websites via proxy

[rocknrollstar]

Hi, there are a few sites that children use which we're not too keen on, but the county proxy lets them through ok. They aren't dodgy, but are pretty much social networking stuff, and we are keen to disallow these site (causing exlcusion/inclusion issues).

Is there any way that I can set up an intermediate proxy? Some simple free software would be great that means I change the IE proxy settings to point to that machine, and then the proxy software on that machine checks against an editable list, and either disallows or forwards on to the county proxy? I'm not hugely knowledgeable in *nix, but will have a go. We have a ubuntu machine hosting FOG, which isn't in constant use ( it's P4 2.8Ghz though).

Also, will this have a huge hit on performance, and will I need a really high powered spec machine?

Many thanks.

[SYNACK]

If it is just certain sites that you want to block you could look at adding DNS entries to your local DNS server that redirected them to either a blocked page or google. This way when they attempted to load the site it would load from the location/site that you choose. This is probably the easiest way to implement this without a secondary proxy/blocking system setup.

Just add a new authorative zone to DNS with the address you want to block and have a * record pointing to where you want it to go instead.

You need to do as below because as soon as you set it as a record on your DNS it is authorotive:

Re: Non authoritative domain on Windows Server 2003

You could create a zone called "hostname.domainname.com" and then within
that zone create a blank host A record (same as parent) pointing to the
relevant internal IP

Then your server would only be authorative for the zone "hostname.domainname.
com"and any records within that zone (such as the same as parent host record
you need)

Only drawback to this is you have to create a separate DNS zone for each host
and a same as parent record but it works

[bio]

I would give opendns.com a try

bio..

[FN-GM]

The problem with openDNS he might have to froward DNS requests to an upstream DNS server and the county

[tom_newton]

Also, DNS requests when using a proxy are generally handled by the proxy, so you may not get anywhere.

To answer the OP - if you have a bit of linux knowledge, squid will get you by just for blocking a few extra sites.

[Brpilot99]

Hi ... we are on the SWGFL and its possible access our schools filtering settings and permit or deny any sites that we wish ....
We accesss the following and input our user name and password

http://admin.filtering.dn.swgfl.org.uk




Maybe the SEGFL has the same facility?

If so you will have to write to them and request your user name and password ...
After that its easy !!! ban or open up any site of your choosing !!!!

Hope this helps
Cheers
Brian

[steveg]

SEGFL do have the same option, the address is admin.safetynet.rmplc.co.uk you'll just need to request a usernme and password.

Steve

[Galway]

If its just the odd site, configure the sites you want to be blocked like you would internal servers. This would mean for those sites the proxy wouldn't be used ... and wouldn't be shown.

[rocknrollstar]

Thanks for your replies everyone.

Galway, what do you mean by:

configure the sites you want to be blocked like you would internal servers

How do you do this on a win2k server xp client network?

Brpilot99 & SteveG- I have phone RM who sent me to SEGFL who sent me to the LEA IT people, who logged a call and still haven't got back to me. Seems like a good way to go, if we can get a username and password sorted out...

Thanks.

[rocknrollstar]

Further to my original post, I've been investigating the use of the hosts file in c:\windows\system32\drivers\etc\. This is one way to set blocked sites on a local machine. I like this method as it should be quick and is easy to update.

The idea would be to have a master hosts file on the server, and then update the remote machines hosts file on startup.

However, I've read that the proxy server takes first pick for DNS, so the hosts file will not get a look in.

Anyway know a way around this? Want the host file to take presidence over the proxy.

Thanks.

[Galway]

We configure the proxy via GPO. Under those settings you can enter IP's and addresses not to be used by the proxy, so that your not going though the proxy to get to them. If you setup an address in there, hotmail.com for example, it wont use the proxy and because of this will time out or say page not found.

Dont add too many sites in there, but it does serve to block sites while the authority can ban them.

[tom_newton]

Further to my original post, I've been investigating the use of the hosts file in c:\windows\system32\drivers\etc\. This is one way to set blocked sites on a local machine. I like this method as it should be quick and is easy to update.

The idea would be to have a master hosts file on the server, and then update the remote machines hosts file on startup.

However, I've read that the proxy server takes first pick for DNS, so the hosts file will not get a look in.

Anyway know a way around this? Want the host file to take presidence over the proxy.

Thanks.

AFAIK this is *generally* not possible - as when a browser has a proxy it will just say "oi, proxy, go fetch me www.edugeek.net" and never worry about DNS - if the proxy was asked to fetch an IP instead, it would foul up vhosts etc. and you'd still have to append a URL.

The only way I can see to avoid this is if you deliver proxy config via proxy.pac - you could write a rule in to point requests for your "banned" sites to go to (say) a proxy that didn't exist.

If you really want more control over your filtering though, I would avoid the "bodgit" route - you will only run into issues down the line. Two best suggestions are: work with *GFL to get custom filters, or take filtering totally "in house".

HTH.

[Tim_H]

If all your net access is provided by RM, don't you have a Smartcache 2 server on site?

You can set up all sorts of filtering lists on that and have different filtering policies for staff/pupils etc.

The alternative may be to use Smoothwall express - I use this at home but don't have a need to run it in school here so haven't really looked in to what is possible with it in this environment.

You could point all your machines at the smoothwall (or squid, or whatever local proxy you like) using group policy (or if your an RM school using the RM Management Console) and then do your filtering on the local proxy.

[philterx]

A good free solution I customised for Northern Territory Catholic Education Schools back in the day was made using Smoothwall. They have a VM Image for VMWare ready and ISO for CD install.

Cheers,

Phil