I'm trying to block specific websites, preferably using a portion of the url. For example, if blocking acmegrocery.com, www.acmegrocery.com would also be blocked. This implies that simply blocking a single IP using iptables would not work well.

The names to block will be somewhat dynamic, so a list specification would be ideal.

In my case, the LAN has a mix of linux and ms machines, and they all use a linux gateway currently running dnsmasq.

Doing some reading, I find suggestions from using /etc/hosts (might work with yp, but not ideal) on the gateway machine, through to using squid on the gateway machine.

I have to believe several people have worked on solutions to this problem, and might be able to suggest best practices. Any takers?

I would be inclined to use squid and dansguardian.

Might add in a hosts file.

The problem is that the hosts file can only deal with the name. Unless running YP/NIS the others, who _could_ use a different nameserver, can still route there. Also, can be readily circumvented with use of an IP in the URL.

That's why I'm looking for a better solution.

I don't disagree.

I'd say that a dedicated firewall solution would be in order. See untanle maybe.

If you want secure then you need to prevent physical access to the firewall. Any on machine scheme can be bypassed.

I was trying to avoid a major change (or expense). Untanle appears to be an appliance one buys, and my assumption is that it gets database updates.

Might be good for an enterprise which needs an easy solution.

I'm still looking for a open solution, if I can find one.

You could try monowall or shorewall, but really for what it seems like you're interested in doing dansguardian and squid are the right answer.

Actually, Untangle is a largely free (some modules you must pay for) software that is intended to be used on a dedicated system or running as a vm. You don't have to buy anything if you don't want to. The only major change is that it replaces your gateway, or you could set it up as a bridged device so that it's transparent to the network.

I've used Untangle for quite some time and I really like it (just make sure you have at least 1GB RAM installed... preferably 2GB). It has a filter built into it that should do exactly what you want: http://www3.untangle.com/web-filter

They also have a fantastic forum where support staff answers any questions that users cannot.

If you have a spare system or parts laying around it's a great product. I am not affiliated with them in any way other than as a satisfied user.


Sean

If you have LAN and Linux as a gateway, you probably use DHCP, so you can tell clients to use your DNS, which can be just small dns proxy with list of negative queries. Of course you need to disable direct DNS query.

QFT.

This is the exact solution I used at a company a while back. All free.

I built a machine from parts lying around our lab, you really don't need much horsepower or juice to accomplish this.

Install squid, install dansguardian and voila! Another good idea is to make sure you setup the web interface. You set up logins and passwords for users that should have access to which users are doing what and they can log into a web interface, scroll through a list of names and see all the sites they visited.

Dansguardian also comes with (when I last used it at least) a precompiled list of bad domains and ip addresses.

The only downfall - depending, actually, upon your perspective - is that squid requires an extra credential login prompt for any sort of logging.

All of this should be able to be accomplished without any cost.