Friday, May 15, 2009
Filtering with DansGuardian and Squid
Recently I took my server and changed it's functions.
Previously, all it did was handle Web Serving and Email.
Now, well, it does a whole lot more.
Web Serving, Email, Filtering, Proxy, Routing, DNS, DHCP, and a few other things that I really don't understand so well.
Because I mixed all these function together, some things started to not function. Dansguardian was working, but not communicating to Squid. Squid was working, but you could bypass the proxy all together. I had DG set for Filter Groups, but we couldn't get it to accept anyone.
I really want to outline the whole details, and at some point I just might, but for now, I will simply outline the solution...
My network at home is secure. no real chance of getting hacked from the inside, so I used Ident for the auth service. You need to install gidentd on all the machines on the network, but that isn't a problem.
I had to change the settings between DG and Squid. DG had to be located on "localhost" not on "127.0.0.1" or "192.168.xxx.xxx", but DG has to listen on the internal interface "192.168.xxx.xxx".
Squid has to look for DG on "localhost" not on "127.0.0.1" or "192.168.xxx.xxx". And Squid communicates on the external interface "xxx.xxx.xxx.xxx"...
This solved that problem, but then, I could still "direct connect to the internet".
This was solved by blocking port 80 on the internal interface. So, now you use 8080, or nothing.
I know this was quick, but I hope it helps
Previously, all it did was handle Web Serving and Email.
Now, well, it does a whole lot more.
Web Serving, Email, Filtering, Proxy, Routing, DNS, DHCP, and a few other things that I really don't understand so well.
Because I mixed all these function together, some things started to not function. Dansguardian was working, but not communicating to Squid. Squid was working, but you could bypass the proxy all together. I had DG set for Filter Groups, but we couldn't get it to accept anyone.
I really want to outline the whole details, and at some point I just might, but for now, I will simply outline the solution...
My network at home is secure. no real chance of getting hacked from the inside, so I used Ident for the auth service. You need to install gidentd on all the machines on the network, but that isn't a problem.
I had to change the settings between DG and Squid. DG had to be located on "localhost" not on "127.0.0.1" or "192.168.xxx.xxx", but DG has to listen on the internal interface "192.168.xxx.xxx".
Squid has to look for DG on "localhost" not on "127.0.0.1" or "192.168.xxx.xxx". And Squid communicates on the external interface "xxx.xxx.xxx.xxx"...
This solved that problem, but then, I could still "direct connect to the internet".
This was solved by blocking port 80 on the internal interface. So, now you use 8080, or nothing.
I know this was quick, but I hope it helps