[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] squidguard question using K12LTSP3.0.0



On Wed, 29 Jan 2003, Richard Ingalls wrote:

>OK.  Can someone walk me through a successful install process for
>squidguard?  What did you install / configure first?  Next?  Etc...  Until
>you had a properly configured LTSP server?
>
>I want my LTSP 3.0.0 box to serve 9 "thin" clients.  They need "filtered"
>internet access (via squid and squidguard) and OpenOffice.  I want a
>firewall on the LTSP machine.  And I'd like to have a laser printer attached
>to it.  That's all I want.
>
>I can handle the standard RH8 install - it's a cinch.  I only have to change
>my eth1 interface to a static IP address; list my gateway and DNS servers.
>Easy, clean install.  No problems, yet.
>
>However, what should I do next, to achieve my goals?  Do I go to "packages"
>and then tell it I want the "web server" options (I noticed that squid and
>squidguard are both here - why aren't they a part of the standard LTSP
>install?)  OR, do I mount the cdrom (disc 2 of K12LTSP 3.0.0) and double
>click on squidguard's RPM (and hope that the package manager will correctly
>install squid, too)?

>From the menu select System Settings -> Packages

That will bring up a "Add or Remove Packages" program that is the functional
equivilent of the "package selection" section of the installer.  You can
click on the "Details" link to the right of the Web Server option and
select just squidGuard if you don't want the rest of the web packages.

>Once that's done, then just add the "redirect" line to the squid.conf file
>right?

To enable squidGuard with the default settings, that's correct.

>Then, restart squid.  And, ba-da-bing!  Right?  Then, tell my browser to use
>the proxy on the LTSP box (192.168.0.254, port 3128).  And all should be
>blocking, eh?

If you want *all* blocked, just firewall off port 80! <just joking!>

>If I want transparent proxy-ing, just add a few more lines to the squid.conf
>and an iptables PREROUTING command to my system initialization file, right?

If you want to do transparent proxying, you MUST do it on a seperate
server.  You cannot do it on the same server that is providing terminal
services (well, it *can* be done, but it is serious black-magic that 
requires a custom kernel to be built).

>But, it's not completely correct for me!!!  It will block access to
>"playboy.com", but not "allmp3s.com" - BOTH are in the blacklists!! Why
>isn't this working?

allmp3s.com is in the audio-video category, which is not blocked by
default. The *available* databases are located in /var/squidGuard/blacklists/
but they must be specificed in the acl section of /etc/squid/squidGuard.conf
for them to be active. For example:

	acl {
    default {
        pass !audio-video all

would only block what is in the audio-video database and permit everything
else. If a category is not either explicitly listed (i.e. "local-ok") or
explicitly blocked by pre-pending a '!" (i.e. "!local-block"), it is 
ignored by squidGuard.

This is a feature, not a bug. It allows folks to block/unblock the categories
of their choice.

I have some simple documentation on configuring squidGuard here:

	http://squidguard.mesd.k12.or.us/

and the official squidGuard documentation is here:

	http://www.squidguard.org/config/

>Can anybody just hold my hand through a correct install from scratch?  Just
>tell me what steps to follow and I'll be your linux slave for ever (which
>means absolutely nothing).

Since you state that it will block playboy.com, it sounds like you have a
working install.

What you need help with is how to setup your network to fit your filtering
needs. This is hardest part with any filter.


If you want to do transparent proxying, you need to force all internet-bound
traffic through the proxy box. There are a number of ways to do this, the
Squid website has detailed instructions on a number of ways to accomplish
this:

	http://www.squid-cache.org/Doc/FAQ/FAQ-17.html


Another method is to firewall off all out-bound port 80 traffic except
from your squidGuard server. This way folks must go through the squidGuard
server to get the web. 

You *can* run squidGuard on the same server that you are providing terminal
services, but your users can simply turn off the proxy settings to bypass it.
You can't firewall off out-bound port 80 connections for the terminal box in
this case because you'll firewall off squid itself.

-Eric





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]