[GLLUG] content filtering

Richard Houser rick at divinesymphony.net
Thu Apr 3 03:19:55 EDT 2008 

You could also make the system bind two IP addresses and make a local 
firewall rule that sends all your user traffic out the other IP.  Of 
course, that kinda rules out certain closed source bugg^H^H^H^H excuses 
for operating systems.

Karl Schuttler wrote:
> I don't know if this gets logged, but you might be able to change the
> banner of the browser for their firefox profiles, so that it says
> their name, and then log that. Just a thought; i'm not sure how it all
> works.
> 
> On Tue, Apr 1, 2008 at 2:01 PM, Michael George <george at idealso.com> wrote:
>> It's a multi-user system.  There could be multiple users at any given
>>  time.  Don't get me wrong, I think the logging is a good idea, but it's
>>  not perfect.  However, when trying to monitor web usage, there is no
>>  "perfect".
>>
>>
>>
>>  On Tue, April 1, 2008 1:50 pm, Karl Schuttler wrote:
>>  > Cross reference with who was logged on at that time?
>>  >
>>  > On Tue, Apr 1, 2008 at 1:46 PM, Michael George <george at idealso.com> wrote:
>>  >>
>>  >>  On Tue, April 1, 2008 1:36 pm, Karl Schuttler wrote:
>>  >>  > If you need somewhere to store logs and stuff like that, be aware
>>  >> that
>>  >>  > you can samba mount stuff with ddwrt and openwrt, so you could just
>>  >>  > have it automount the samba partition and store stuff there.
>>  >>
>>  >>  True.  And for that matter, I can tell it to ship the logs off to a
>>  >> syslog
>>  >>  server.  As long as it will log with the detail I'd need.  The downside
>>  >> is
>>  >>  that the router (probably) won't know who the user is that is sending
>>  >> the
>>  >>  requests.
>>  >>
>>  >>
>>  >>
>>  >>  > On Tue, Apr 1, 2008 at 8:34 AM, Michael George <george at idealso.com>
>>  >> wrote:
>>  >>  >> I'll look at the openwrt site and see what I can find for modules.
>>  >> I
>>  >>  >>  understand that dd-wrt is based on it and can use its modules, but
>>  >> they
>>  >>  >>  will have to be hand-configured.
>>  >>  >>
>>  >>  >>  Do you know of any "recipies" for setting up firewall rules on a
>>  >> server
>>  >>  >> to
>>  >>  >>  run transparent/forced proxy?  I'm hoping for a solution that
>>  >> doesn't
>>  >>  >>  require me to dig knee-deep into learning firewall rules...
>>  >>  >>
>>  >>  >>  I'm also quite happy with a multi-layered approach.  I can use
>>  >> OpenDNS,
>>  >>  >>  and dansguardian, and the log files.  Putting the system in a
>>  >> public
>>  >>  >> place
>>  >>  >>  is probably one of the best moves, but there are some physical
>>  >>  >>  complexities going in that direction...
>>  >>  >>
>>  >>  >>  Hmm, I bet I can get a boot CD that will fire up the system and do
>>  >> the
>>  >>  >>  same things that LTSP does over wireless...  I'll have to look into
>>  >>  >> that
>>  >>  >>  option.  Then I can put the system in more places in the house
>>  >> without
>>  >>  >>  stringing more ethernet cables...
>>  >>  >>
>>  >>  >>
>>  >>  >>
>>  >>  >>  On Mon, March 31, 2008 11:37 pm, Richard Houser wrote:
>>  >>  >>  > -----BEGIN PGP SIGNED MESSAGE-----
>>  >>  >>  > Hash: SHA1
>>  >>  >>  >
>>  >>  >>  > Michael George wrote:
>>  >>  >>  > | It's time I get more serious about content filtering at home,
>>  >> now
>>  >>  >> that
>>  >>  >>  > my
>>  >>  >>  > | kids are able to get online.
>>  >>  >>  > |
>>  >>  >>  > | I know there is the dansguardian/squid proxy filter, but I
>>  >> don't
>>  >>  >> want to
>>  >>  >>  > | jump immediately to an approach that requires another computer.
>>  >>  I
>>  >>  >> use
>>  >>  >>  > | LTSP for myself and for the kids, so we're all on the same
>>  >> system
>>  >>  >>  > | (therefore I can't just use mine as the proxy server).
>>  >>  >>  > |
>>  >>  >>  > | I've heard of OpenDNS for DNS-level filtering, but I'm not sure
>>  >> if
>>  >>  >> that
>>  >>  >>  > | will have some loopholes that I hadn't though of...
>>  >>  >>  >
>>  >>  >>  > For starters, a loophole is that someone can just bypass DNS.  It
>>  >>  >>  > wouldn't be convenient, but is still relatively easy to do if
>>  >> your
>>  >>  >> kids
>>  >>  >>  > are so inclined.  They certainly won't fall into that loophole by
>>  >>  >>  > accident, however, so with good parenting, I don't think this
>>  >> would
>>  >>  >> be
>>  >>  >>  > an issue.
>>  >>  >>  >
>>  >>  >>  > | I should have thought ahead more when I got my router.  I put
>>  >> in a
>>  >>  >>  > Linksys
>>  >>  >>  > | WRT54GL running dd-wrt just recently.  I'm happy with it so
>>  >> far,
>>  >>  >> and it
>>  >>  >>  > | will facilitate a transparent proxy, but it doesn't implement
>>  >> one.
>>  >>  >>  > Since
>>  >>  >>  > | I only use it for basic router and firewall tasks, it would be
>>  >> nice
>>  >>  >> to
>>  >>  >>  > | have a content filtering proxy built into it.
>>  >>  >>  > |
>>  >>  >>  > | Anyone here have opinions/advice?  Thanks!
>>  >>  >>  >
>>  >>  >>  > I don't know about your kids, but have you looked into providing
>>  >>  >> either
>>  >>  >>  > a mostly open internet connection (regarding http port 80/443)
>>  >> with
>>  >>  >>  > logging for later review OR a whitelist based approach?  I don't
>>  >> know
>>  >>  >>  > about dd-wrt, but if you were running OpenWRT that should
>>  >> certainly
>>  >>  >> be
>>  >>  >>  > doable (especially with the up to 2GB flash storage you can put
>>  >> in
>>  >>  >> the
>>  >>  >>  > GL).
>>  >>  >>  >
>>  >>  >>  > Also, since you are running on the same system, you CAN use your
>>  >>  >> machine
>>  >>  >>  > as the proxy.  When on the same machine, you can use firewall
>>  >> rules
>>  >>  >> to
>>  >>  >>  > force certain users to use the proxy and allow others open
>>  >> access.
>>  >>  >>  > While still on the same machine, I think this is the best option.
>>  >>  >>  > -----BEGIN PGP SIGNATURE-----
>>  >>  >>  > Version: GnuPG v1.4.7 (GNU/Linux)
>>  >>  >>  > Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org
>>  >>  >>  >
>>  >>  >>  > iD8DBQFH8a3mUMkt1ZRwL1MRAjDYAJ9+lHH0t+XK+/lT3SCADkxLvok3AgCglh9l
>>  >>  >>  > ql2l5Ej5l4zqketet3lSJhk=
>>  >>  >>  > =mNuB
>>  >>  >>  > -----END PGP SIGNATURE-----
>>  >>  >>  >
>>  >>  >>
>>  >>  >>
>>  >>  >>  -Michael George
>>  >>  >>
>>  >>  >>
>>  >>  >> _______________________________________________
>>  >>  >>  linux-user mailing list
>>  >>  >>  linux-user at egr.msu.edu
>>  >>  >>  http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>>  >>  >>
>>  >>  >
>>  >>
>>  >>
>>  >>  -Michael George
>>  >>
>>  >
>>
>>
>>  -Michael George
>>
> _______________________________________________
> linux-user mailing list
> linux-user at egr.msu.edu
> http://mailman.egr.msu.edu/mailman/listinfo/linux-user

More information about the linux-user mailing list