Trying to get a quick n dirty Dans Guardian/Squid install for client
 

I am trying to get a quick and dirty setup of Dans Gaurdian/Squid for content filtering for a client of mine. I am running Slack 10.2. I installed Dans Gaurdian 2.8 from source and Squid from package (tgz - slackware binary). The proxy server cannot be the default gateway (the default g/w must remain the way it is).

I tried using the steps outlined in this article:
http://software.newsforge.com/softwa.../1521209.shtml

but alot of the steps don't apply for what I am trying to do. I also get a lot of errors with permissions.

I am trying to get Dans Guardian's content filtering to work with Squid the quickest way possible for demonstration purposes. Can anyone provide advice?

basically you just need the gateway to forward any upstream tcp port 80 packets to the proxy (squid/dansguardian)... you do that with iptables on the gateway... as for the proxy, just have dansguardian listening on port 8080 on the LAN interface, and squid listening locally on port 3128... dansguardian takes very little configuration, and with squid it's just a matter of setting the proper ACLs and a few other options... sounds like your permissions issues could be ACL issues (could you be more specific?)... maybe post your squid.conf (without the commented lines)...

Thanks for the help. I set up a slack box at home and am playing with it before I get back to the client. Right now I have squid configured to not cache and accept all connections from the local network. Now I need to get Dans Guardian up and running. The errors were due to me following that tutorial I mentioned too closely. That article had dans and squid running on a 1 machine home PC setup and would only allow connections from the loopback address. I was trying to throw the setup together in the heat of battle and didn't pay attention to the commands the article was asking me to execute.

Okay, I have squid and dans guardian running. I started Dans Guardian. Now, EVERYTHING is blocked. Disney.com, google.com etc. How can I pull back the reigns of Dans Guardian? I looked thru the docs and everything says that while Dans Guardian should be prudent, it shouldn't block everything. Whats going on?

Okay, more info. Squid was giving me the access denied page, not dans guardian. I had the port set to 8080 for the proxy. If I set the port back to 3128, everything is allowed.

I looked at the Dans Guardian logs and I see all the sites I went to including some sites that should be blocked but weren't.

What am I missing?

okay, let's try and take it one step at a time... you can confirm that you have squid properly functioning if you use it on it's own?? please post the squid.conf with the above command either way...

now about dansguardian... you are saying it's blocking ALL the sites, right?? please post some of the logfile entries to see what they look like... also, post your two main dansguardian configuration files please... that would be dansguardian.conf and dansguardianf1.conf i think... i recommend you use the same greps from above on them so that you don't fill your post with commented lines...

also, let's have a look at the iptables rules on the gateway and on the proxy itself please...

Sorry for my confusing replies. Here is the current situation:
Dans Guaridan is not blocking anything. I see the sites I have visited on one of the PCs in the network in the DansGuardian access log, but even sites that should be blocked aren't being blocked. The PCs don't have the default gateway as the proxy. Proxy settings being controlled thru the browser.

When I thought everything was being blocked, I had the port setting on my browser set to 8080 not 3128. It was Squid saying access denied, not Dans Guardian.

Here are the config files:

squid.conf:

hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl all src 0.0.0.0/0.0.0.0
no_cache deny all
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.111.0/24 192.168.2.0/24
http_access allow our_networks
http_access deny all
http_reply_access allow all
icp_access allow all
coredump_dir /var/lib/squid/cache

dansguardian.conf

reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ukenglish'
loglevel = 2
logexceptionhits = on
logfileformat = 1
filterip =
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
preemptivebanning = on
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
nodaemon = off
nologger = off
softrestart = off

dansguardianf1.conf

bannedphraselist = '/etc/dansguardian/bannedphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
greysitelist = '/etc/dansguardian/greysitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
bannedurllist = '/etc/dansguardian/bannedurllist'
greyurllist = '/etc/dansguardian/greyurllist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
picsfile = '/etc/dansguardian/pics'
contentregexplist = '/etc/dansguardian/contentregexplist'
naughtynesslimit = 50
bypass = 0
bypasskey = ''

hmmm... weird... well, let's have a look at what the dansguardian logfile entries look like when you go to a site that should be blocked...

i think the reason good sites are being logged is because of this:i can't, however, seem to determine why the content filtering wouldn't be working properly through your dansguardian... are you sure you've tried with the, ummm, proper websites??

Here is the log. Obviously one of the sites listed should be blocked. Nothing is being blocked at all.


INSERT A NAUGHTY URL HERE
2006.1.5 15:15:53 - 192.168.111.2 http://google.com GET 1054
2006.1.5 15:15:53 - 192.168.111.2 http://google.com/favicon.ico GET 1076
2006.1.5 15:19:02 - 192.168.111.2 http://yahoo.com GET 1052
2006.1.5 15:19:02 - 192.168.111.2 http://yahoo.com/favicon.ico GET 1074
2006.1.5 15:19:12 - 192.168.111.2 http://aol.com GET 1048
2006.1.5 15:19:12 - 192.168.111.2 http://aol.com/favicon.ico GET 1070
2006.1.5 15:37:29 - 192.168.111.2 http://google.com GET 1054
2006.1.5 15:37:29 - 192.168.111.2 http://google.com/favicon.ico GET 1076
2006.1.5 15:37:34 - 192.168.111.2 http://disney.com GET 1054
2006.1.5 15:37:34 - 192.168.111.2 http://disney.com/favicon.ico GET 1076
2006.1.5 15:37:42 - 192.168.111.2 http://ehg-comcast.hitbox.com/HG?hc=&hb=DM5409 24GGEM&cd=1&hv=6&n=/INDEX&con=&vcon=/&tt=none&ja=y&dt=15&zo=360&lm=1123152934000 &bn=Netscape&ce=y&ss=1600*1200&sc=32&sv=13&cy=u&hp=u&ln=en-US&vpc=HBX0100u&vjs=H BX0141.01u&hec=0&pec=&cmp=&gp=&dcmp=&dcmpe=&dcmpre=&cp=null&fnl=&seg=&epg=&cv=&g n=&ld=&la=&c1=&c2=&c3=&c4=&customerid=&lv.id=&lv.pos=&ttt=lid,lpos&ra=&rf=http%3 A//comcast.net/&pl=QuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AQ uickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%2 07.0.3%3AQuickTime%20Plug-in%207.0.3%3AQuickTime%20Plug-in%207.0.3%3AAdobe%20Acr obat%3AShockwave%20Flash%3AMozilla%20Default%20Plug-in%3AShockwave%20for%20Direc tor%3AJava%28TM%29%202%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava %28TM%29%202%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%2 02%20Platform%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platf orm%20Standard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Stan dard%20Edition%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Standard%20Edi tion%205.0%20Update%206%3AJava%28TM%29%202%20Platform%20Standard%20Edition%205.0 %20Update%206%3AMicrosoft%AE%20DRM%3AWindows%20Media%20Player%20Plug-in%20Dynami c%20Link%20Library%3AMicrosoft%AE%20DRM%3A&hid=0.43603107889753 GET 1084
2006.1.5 15:37:42 - 192.168.111.2 http://www.comcast.net/home.html GET 1082
2006.1.5 15:37:42 - 192.168.111.2 http://www.comcast.net/favicon.ico GET 1086
2006.1.5 15:38:34 - 192.168.111.2 http://www.linuxquestions.org/questions/search .php?searchid=85594 GET 1120
2006.1.5 15:39:12 - 192.168.111.2 http://www.linuxquestions.org/questions/newrep ly.php POST 1122
2006.1.5 15:39:17 - 192.168.111.2 http://www.linuxquestions.org/questions/newrep ly.php POST 1122

you don't have any of these client IPs in your /etc/dansguardian/exceptioniplist file, right?? just making sure... i'm still trying to figure this out...

PS: you can go ahead and remove the two xxx links from the post above (to avoid any conflict with the LQ rules), as it's clear that they appear in the logs just as the non-xxx ones...

Actually, I haven't touched any of the Dans Guardian config files at all. Thank you for your help, it is much appreciated!! I promised a low cost web filtering solution to my client and I am trying desperately to deliver.

what ownership does your dansguardian binary have??also, what does the ownership for the configs look like?? PS: please see the PS on my previous post...

root:root owns it. All the squid/dans guardian stuff is installed and ran as root. I know there should be a seperate user running this stuff for security purposes but this will not be a production server, just a demo.

the binary should be owned by root:bin, not root:root... change that, re-start dansguardian, and see if it helps...also, even if it's a demo, you should try and run it as it's designed to be run (a non-root user), so as to avoid any weird issues... by default it will run as user "nobody"... but personally, i always add group "dansguardian" and user "dansguardian" (no login shell) to my system and then configure dansguardian to run as that user and group in the dansguardian.conf file, with these options which are near the bottom of the file and would need to be uncommented:to add the user account do something like:

Will that conflict with anything in my squid configuration?