[KLUG Members] choice of i-filter/firewall/squid box

[Rusty Yonkers]

I have noticed a number of people mentioning squidguard.  It will
block some sites but it works totally differently than Dansguardian. 
Squidguard is basically like doing blacklists of domains or servers. 
You have to either have the site listed in the blacklist or it has to
be a URL that has "naughty" words in the address.  

Dansguardian scans the content of each page and then makes a
determination whether it is permitted or not.  There are a number of
catagories that you can filter on such as porn, hate sites, etc.  You
can also block downloads depending on extention of the file to keep
people from downloading executable programs.  There are exception
lists that you can use to also permit certain things.  You can permit
or block on URL, keywords in the document, sites, regular
expressions, etc.  

The only negative is that if you are using transparent proxy then you
cannot have the user authenticate into squid.  That functionality is
broken when you chain the two together.  If you do not use
transparent proxy I believe that you can still use authentication
into the proxy.  It will still log IP addresses though so if you only
have a few workstations and use static addressing (or reservations in
DHCP - same basic thing) then you would be able to build a table
relating address to a name if you wanted to post a surfing history of
all the users.  

In a business I would run a separate box for the firewall from the
proxy/filtering box.  For a firewall into a classroom where there is
not sensitive information and if you have a problem you can just
"reghost" the workstations (assuming you use something like that)
then I would (and do here) have the firewall and proxy/filter on the
same box.  In a certain sense proxy is a firewall.  

Actually if all you need to allow is web traffic then you can use
iptables to pretty much lock the computer up tight as a drum except
for letting squid talk to the Internet and nothing else and then the
users can only talk with the proxy box (dansguardian which then
chains through squid).  I would also allow ssh on the internal
interface so that I can manage the box from inside since I would want
to lock the firewall in a closet and not even put a monitor on the
box (making it harder for a person to get access - it is pretty
obvious when a person is walking a monitor down to the server/wiring
closet!!!!).  I would also not install a floppy on the computer and
after setup is done I would remove the cd-rom drive (you will want a
hard drive in the system for squid to use for the caching).  You
could even limit ssh to only be allowed from your workstation into
the proxy box.  

I would challenge anyone to break that setup.  FTP would not work but
I think that is a good thing for most schools.  And you can shutdown
ActiveX through Dansguardian.  Messenger programs are a little bit
harder since they will work with port 80.  I am not sure about Kazaa
if that can use port 80 or not but have not had to block it or work
with it either.  

Hmmmmm I sense a fun challenge like a geek olympics where people
setup boxes or situations and then challenge others to try to break
them to see how we all do.... interesting concept.  ;-)



=====
Russell C. Yonkers Jr. 
CNE, MCP, A+, CCNA, Linux+, Server+, Network+ certified
-----------------------------------------
Currently using SuSE 9, Mac OS X, Windows 2000, and WinXP 
And yes I run a network at home with Linux and Windows servers

__________________________________
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway 
http://promotions.yahoo.com/design_giveaway/