firewall url filter

[Tim]

On Thu, 2009-01-22 at 09:38 +0100, roland wrote:
> The client wants to prevent users to connect to sex sites.
>
> Can I use the fedora-box as a firewall, filtering several url's or  
> filtering several keywords?

You can do that sort of thing.  A simplistic overview of how is:

Use the firewall to block direct the browsers directly connecting to any
website (i.e. all outgoing connections to port 80).  That'll stop nearly
all web browsing, other than sites on other unusual ports.  It's not a
100% catchall, but probably 99%.

Run a proxy (e.g. Squid) with rules about what can't be connected too.
You can configure it with naughty keywords, or find another package that
prepares it for you, perhaps even keeping it updated automatically.  
Since the users aren't able to directly browse the web, they're stuck
with using your controlled proxy.

Nothing's a 100% certainty, though.  Some people will find a way to
bypass restrictions, no matter what you try.  So they'd need well
defined punitive methods so they can do something else to infringers.
Some sites will still be accessible, despite your best efforts, this has
always been the case, and always will be.  Some *okay* sites will get
blocked; again, this has always been the case.  Make damn sure that
their important clients's websites don't get blocked.

You probably want to do them another favour, and learn about how to
filter crap out of their incoming mail.  And, if they're paranoid about
treachery, how to look for confidential company files being emailed out,
and block them, too.


-- 
[tim at localhost ~]$ uname -r
2.6.27.9-73.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.