LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Parental control on Slackware 13.1 desktop using dansguardian and tinyproxy (http://www.linuxquestions.org/questions/linux-networking-3/parental-control-on-slackware-13-1-desktop-using-dansguardian-and-tinyproxy-898509/)

SlowLearner 08-20-2011 03:34 PM

Parental control on Slackware 13.1 desktop using dansguardian and tinyproxy
 
I need assistance troubleshooting syslog errors.

I am attempting to follow Alien Bob's example of Parental control on the Linux desktop using Dansguardian and tinyproxy
on a single boot Slackware 13.1 for "the family PC in the living room."

I set up the /etc/rc.d/rc.firewall as detailed here and that seems to be working as it should. However I am getting syslog errors stating tinyproxy is unable to create log file and that dansguardian has errors connecting to proxy.


Example of syslogs errors are:

Quote:

Aug 20 14:48:22 darkstar tinyproxy[1592]: ERROR: Could not create log file /var/log/tinyproxy/tinyproxy.log: Bad file descriptor.
Aug 20 14:48:22 darkstar tinyproxy[1592]: Falling back to syslog logging
Aug 20 14:48:24 darkstar kernel: phy0 -> rt2500pci_set_device_state: Error - Device failed to enter state 1 (-16).
Aug 20 14:49:24 darkstar last message repeated 3 times
Aug 20 14:49:25 darkstar python: hp-systray[1824]: warning: No hp: or hpfax: devices found in any installed CUPS queue. Exiting.
Aug 20 14:49:26 darkstar kernel: phy0 -> rt2500pci_set_device_state: Error - Device failed to enter state 1 (-16).
Aug 20 14:49:28 darkstar kernel: phy0 -> rt2500pci_set_device_state: Error - Device failed to enter state 1 (-16).
Aug 20 14:49:28 darkstar dansguardian[1604]: Error connecting to proxy
Aug 20 14:49:34 darkstar dansguardian[1604]: Error connecting to proxy
Aug 20 14:49:34 darkstar kernel: phy0 -> rt2500pci_set_device_state: Error - Device failed to enter state 1 (-16).
Aug 20 14:49:54 darkstar last message repeated 80 times
Aug 20 14:49:54 darkstar dansguardian[1604]: Error connecting to proxy
Aug 20 14:49:55 darkstar dansguardian[1604]: Error connecting to proxy
tinyproxy.conf is:
Quote:

## tinyproxy.conf -- tinyproxy daemon configuration file
User nobody
Group nobody
# Port: Specify the port which tinyproxy will listen on.
Port 3128
Listen 127.0.0.1
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
LogFile "/var/log/tinyproxy/tinyproxy.log"
# Syslog: Tell tinyproxy to use syslog instead of a logfile.
#Syslog On
LogLevel Info
Allow 127.0.0.1
Allow 192.168.2.0/24
ViaProxyName "tinyproxy"
# The following two ports are used by SSL.
#
ConnectPort 443
ConnectPort 563


dansguardian.conf meat is:
Quote:

# DansGuardian config file for version 2.10.1.1

# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf


# Web Access Denied Reporting (does not affect logging)
# 1 = report why but not what denied phrase
# 2 = report fully
# 3 = use HTML template file (accessdeniedaddress ignored) - recommended
#
reportinglevel = 3


# Logging Settings
#
# 0 = none 1 = just denied 2 = all text based 3 = all requests
loglevel = 2

# Log Exception Hits
# Log if an exception (user, ip, URL, phrase) is matched and so
# the page gets let through. Can be useful for diagnosing
# why a site gets through the filter.
# 0 = never log exceptions
# 1 = log exceptions, but do not explicitly mark them as such
# 2 = always log & mark exceptions (default)
logexceptionhits = 2

# Log File Format
# 1 = DansGuardian format (space delimited)
# 2 = CSV-style format
# 3 = Squid Log File Format
# 4 = Tab delimited
logfileformat = 1

# truncate large items in log lines
#maxlogitemlength = 400

# anonymize logs (blank out usernames & IPs)
#anonymizelogs = on


# Syslog logging
#
# Use syslog for access logging instead of logging to the file
# at the defined or built-in "loglocation"
#syslog = on

# Log file location
#
# Defines the log directory and filename.
loglocation = '/var/log/dansguardian/access.log'


# Statistics log file location
#
# Defines the stat file directory and filename.
# Only used in conjunction with maxips > 0
# Once every 3 minutes, the current number of IPs in the cache, and the most
# that have been in the cache since the daemon was started, are written to this
# file. IPs persist in the cache for 7 days.
#statlocation = '/var/log/dansguardian/stats'


# Network Settings
#
# the IP that DansGuardian listens on. If left blank DansGuardian will
# listen on all IPs. That would include all NICs, loopback, modem, etc.
# Normally you would have your firewall protecting this, but if you want
# you can limit it to a certain IP. To bind to multiple interfaces,
# specify each IP on an individual filterip line.
filterip = 127.0.0.1

# the port that DansGuardian listens to.
filterport = 8080

# the ip of the proxy (default is the loopback - i.e. this server)
proxyip = 127.0.0.1

# the port DansGuardian connects to proxy on
proxyport = 3128



# accessdeniedaddress is the address of your web server to which the cgi
# dansguardian reporting script was copied. Only used in reporting levels 1 and 2.
#
# This webserver must be either:
# 1. Non-proxied. Either a machine on the local network, or listed as an exception
# in your browser's proxy configuration.
# 2. Added to the exceptionsitelist. Option 1 is preferable; this option is
# only for users using both transparent proxying and a non-local server
# to host this script.
#
# Individual filter groups can override this setting in their own configuration.
#
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'

# Non standard delimiter (only used with accessdeniedaddress)
# To help preserve the full banned URL, including parameters, the variables
# passed into the access denied CGI are separated using non-standard
# delimiters. This can be useful to ensure correct operation of the filter
# bypass modes. Parameters are split using "::" in place of "&", and "==" in
# place of "=".
# Default is enabled, but to go back to the standard mode, disable it.
nonstandarddelimiter = on



# Banned image replacement
# Images that are banned due to domain/url/etc reasons including those
# in the adverts blacklists can be replaced by an image. This will,
# for example, hide images from advert sites and remove broken image
# icons from banned domains.
# on (default) | off
usecustombannedimage = on
custombannedimagefile = '/usr/share/dansguardian/transparent1x1.gif'



# Filter groups options
# filtergroups sets the number of filter groups. A filter group is a set of content
# filtering options you can apply to a group of users. The value must be 1 or more.
# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
# group. To assign users to groups use the filtergroupslist option. All users default
# to filter group 1. You must have some sort of authentication to be able to map users
# to a group. The more filter groups the more copies of the lists will be in RAM so
# use as few as possible.
filtergroups = 1
filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'



# Authentication files location
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'



# Show weighted phrases found
# If enabled then the phrases found that made up the total which excedes
# the naughtyness limit will be logged and, if the reporting level is
# high enough, reported. on | off
showweightedfound = on



# Positive (clean) result caching for URLs
# Caches good pages so they don't need to be scanned again.
# It also works with AV plugins.
# 0 = off (recommended for ISPs with users with disimilar browsing)
# 1000 = recommended for most users
# 5000 = suggested max upper limit
# If you're using an AV plugin then use at least 5000.
urlcachenumber = 1000
#
# Age before they are stale and should be ignored in seconds
# 0 = never
# 900 = recommended = 15 mins
urlcacheage = 900



# Clean cache for content (AV) scan results
# By default, to save CPU, files scanned and found to be
# clean are inserted into the clean cache and NOT scanned
# again for a while. If you don't like this then choose
# to disable it.
# (on|off) default = on.
scancleancache = on






# Hex decoding options
# When a document is scanned it can optionally convert %XX to chars.
# If you find documents are getting past the phrase filtering due to encoding
# then enable. However this can break Big5 and other 16-bit texts.
# off = disabled (default)
# on = enabled
hexdecodecontent = off



# Force Quick Search rather than DFA search algorithm
# The current DFA implementation is not totally 16-bit character compatible
# but is used by default as it handles large phrase lists much faster.
# If you wish to use a large number of 16-bit character phrases then
# enable this option.
# off (default) | on (Big5 compatible)
forcequicksearch = off



# Reverse lookups for banned site and URLs.
# If set to on, DansGuardian will look up the forward DNS for an IP URL
# address and search for both in the banned site and URL lists. This would
# prevent a user from simply entering the IP for a banned address.
# It will reduce searching speed somewhat so unless you have a local caching
# DNS server, leave it off and use the Blanket IP Block option in the
# bannedsitelist file instead.
reverseaddresslookups = off



# Reverse lookups for banned and exception IP lists.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer. This means you can put in hostnames in
# the exceptioniplist and bannediplist.
# If a client computer is matched against an IP given in the lists, then the
# IP will be recorded in any log entries; if forward DNS is successful and a
# match occurs against a hostname, the hostname will be logged instead.
# It will reduce searching speed somewhat so unless you have a local DNS server,
# leave it off.
reverseclientiplookups = off

# Perform reverse lookups on client IPs for successful requests.
# If set to on, DansGuardian will look up the forward DNS for the IP
# of the connecting computer, and log host names (where available) rather than
# IPs against requests.
# This is not dependent on reverseclientiplookups being enabled; however, if it
# is, enabling this option does not incur any additional forward DNS requests.
logclienthostnames = off


# Build bannedsitelist and bannedurllist cache files.
# This will compare the date stamp of the list file with the date stamp of
# the cache file and will recreate as needed.
# If a bsl or bul .processed file exists, then that will be used instead.
# It will increase process start speed by 300%. On slow computers this will
# be significant. Fast computers do not need this option. on | off
createlistcachefiles = on



# POST protection (web upload and forms)
# does not block forms without any file upload, i.e. this is just for
# blocking or limiting uploads
# measured in kibibytes after MIME encoding and header bumph
# use 0 for a complete block
# use higher (e.g. 512 = 512Kbytes) for limiting
# use -1 for no blocking
#maxuploadsize = 512
#maxuploadsize = 0
maxuploadsize = -1



# Max content filter size
# Sometimes web servers label binary files as text which can be very
# large which causes a huge drain on memory and cpu resources.
# To counter this, you can limit the size of the document to be
# filtered and get it to just pass it straight through.
# This setting also applies to content regular expression modification.
# The value must not be higher than maxcontentramcachescansize
# The size is in Kibibytes - eg 2048 = 2Mb
# use 0 to set it to maxcontentramcachescansize
maxcontentfiltersize = 256

# Max content ram cache scan size
# This is only used if you use a content scanner plugin such as AV
# This is the max size of file that DG will download and cache
# in RAM. After this limit is reached it will cache to disk
# This value must be less than or equal to maxcontentfilecachescansize.
# The size is in Kibibytes - eg 10240 = 10Mb
# use 0 to set it to maxcontentfilecachescansize
# This option may be ignored by the configured download manager.
maxcontentramcachescansize = 2000



# Max content file cache scan size
# This is only used if you use a content scanner plugin such as AV
# This is the max size file that DG will download
# so that it can be scanned or virus checked.
# This value must be greater or equal to maxcontentramcachescansize.
# The size is in Kibibytes - eg 10240 = 10Mb
maxcontentfilecachescansize = 20000



# File cache dir
# Where DG will download files to be scanned if too large for the
# RAM cache.
filecachedir = '/tmp'



# Delete file cache after user completes download
# When a file gets save to temp it stays there until it is deleted.
# You can choose to have the file deleted when the user makes a sucessful
# download. This will mean if they click on the link to download from
# the temp store a second time it will give a 404 error.
# You should configure something to delete old files in temp to stop it filling up.
# on|off (defaults to on)
deletedownloadedtempfiles = on



# Initial Trickle delay
# This is the number of seconds a browser connection is left waiting
# before first being sent *something* to keep it alive. The
# *something* depends on the download manager chosen.
# Do not choose a value too low or normal web pages will be affected.
# A value between 20 and 110 would be sensible
# This may be ignored by the configured download manager.
initialtrickledelay = 20



# Trickle delay
# This is the number of seconds a browser connection is left waiting
# before being sent more *something* to keep it alive. The
# *something* depends on the download manager chosen.
# This may be ignored by the configured download manager.
trickledelay = 10

# Fork pool options

# If on, this causes DG to write to the log file whenever child processes are
# created or destroyed (other than by crashes). This information can help in
# understanding and tuning the following parameters, but is not generally
# useful in production.
logchildprocesshandling = off

# sets the maximum number of processes to spawn to handle the incoming
# connections. Max value usually 250 depending on OS.
# On large sites you might want to try 180.
maxchildren = 120

# sets the minimum number of processes to spawn to handle the incoming connections.
# On large sites you might want to try 32.
minchildren = 8

# sets the minimum number of processes to be kept ready to handle connections.
# On large sites you might want to try 8.
minsparechildren = 4


# sets the minimum number of processes to spawn when it runs out
# On large sites you might want to try 10.
preforkchildren = 6


# sets the maximum number of processes to have doing nothing.
# When this many are spare it will cull some of them.
# On large sites you might want to try 64.
maxsparechildren = 32


# sets the maximum age of a child process before it croaks it.
# This is the number of connections they handle before exiting.
# On large sites you might want to try 10000.
maxagechildren = 500

# Sets the maximum number client IP addresses allowed to connect at once.
# Use this to set a hard limit on the number of users allowed to concurrently
# browse the web. Set to 0 for no limit, and to disable the IP cache process.
maxips = 0

# Process options
# (Change these only if you really know what you are doing).
# These options allow you to run multiple instances of DansGuardian on a single machine.
# Remember to edit the log file path above also if that is your intention.

# IPC filename
#
# Defines IPC server directory and filename used to communicate with the log process.
ipcfilename = '/tmp/.dguardianipc'

# URL list IPC filename
#
# Defines URL list IPC server directory and filename used to communicate with the URL
# cache process.
urlipcfilename = '/tmp/.dguardianurlipc'

# IP list IPC filename
#
# Defines IP list IPC server directory and filename, for communicating with the client
# IP cache process.
ipipcfilename = '/tmp/.dguardianipipc'

# Disable daemoning
# If enabled the process will not fork into the background.
# It is not usually advantageous to do this.
# on|off (defaults to off)
nodaemon = off

# Disable logging process
# on|off (defaults to off)
nologger = off

# Enable logging of "ADs" category blocks
# on|off (defaults to off)
logadblocks = off

# Enable logging of client User-Agent
# Some browsers will cause a *lot* of extra information on each line!
# on|off (defaults to off)
loguseragent = off


both the /var/log/tinyproxy/tinyproxy.log AND the /var/log/dansguardian/access.log remain empty as if never used. Despite both .conf files directing them to send messages to these locations.

Although I have not downloaded or included any blocklist to Dansguardian. I thought I should at least get Dansgaurdian and tinyproxy happy talking to each other and logging appropriately before I muddied things up further.

I am completely at a loss. Any assistance offered would be greatly appreciated

thanks,
slowlearner

SlowLearner 08-25-2011 03:43 PM

IS proxy server running ? Is it working as it should?
 
Quote:

General Troubleshooting:
FIRST Make sure of the following:

that your proxy server is running and that you can access the web through it properly.
How can I do this?

I was never able to get /var/log/tinyproxy/tinyproxy.log to generate any data.
So i #commented that line out and now tinyproxy.conf has Syslog On Verbose

my nmap 127.0.0.1 says:
Quote:

Nmap scan report for localhost (127.0.0.1)
Host is up (0.000032s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
37/tcp open time
113/tcp open auth
3128/tcp open squid-http
6000/tcp open X11
8080/tcp open http-proxy
which i ASSUME means that my "proxy server is running"

But the last part about access the web through it properly - that i can't do.

I try different mozilla proxy settings but nothing new appears in syslog and i still can not access any www pages.

This is with dansguardian stopped and firewall up.

How can I troubleshoot the proxy server to determine why I can't get through to the web?

Quote:

## tinyproxy.conf -- tinyproxy daemon configuration file
User nobody
Group nobody
# Port: Specify the port which tinyproxy will listen on.
Port 3128
Listen 127.0.0.1
DefaultErrorFile "/usr/share/tinyproxy/default.html"
StatFile "/usr/share/tinyproxy/stats.html"
#LogFile "/var/log/tinyproxy/tinyproxy.log"
Syslog On
LogLevel Info
Allow 127.0.0.1
Allow 192.168.2.0/24
ViaProxyName "tinyproxy"
# The following two ports are used by SSL.
#
ConnectPort 443
ConnectPort 563
A sledgehammer to the monitor is feeling increasingly pleasant. Followed by the ever depressing new wintel purchase.


All times are GMT -5. The time now is 06:44 AM.