[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] squidguard question using K12LTSP3.0.0



Eric:

Thanks for your help!  You straightened it out for me!

----- Original Message -----
From: "Eric Harrison" <eharrison mail mesd k12 or us>
To: <k12osn redhat com>
Sent: Wednesday, January 29, 2003 8:32 PM
Subject: Re: [K12OSN] squidguard question using K12LTSP3.0.0


> On Wed, 29 Jan 2003, Richard Ingalls wrote:
>
> >OK.  Can someone walk me through a successful install process for
> >squidguard?  What did you install / configure first?  Next?  Etc...
Until
> >you had a properly configured LTSP server?
> >
> >I want my LTSP 3.0.0 box to serve 9 "thin" clients.  They need "filtered"
> >internet access (via squid and squidguard) and OpenOffice.  I want a
> >firewall on the LTSP machine.  And I'd like to have a laser printer
attached
> >to it.  That's all I want.
> >
> >I can handle the standard RH8 install - it's a cinch.  I only have to
change
> >my eth1 interface to a static IP address; list my gateway and DNS
servers.
> >Easy, clean install.  No problems, yet.
> >
> >However, what should I do next, to achieve my goals?  Do I go to
"packages"
> >and then tell it I want the "web server" options (I noticed that squid
and
> >squidguard are both here - why aren't they a part of the standard LTSP
> >install?)  OR, do I mount the cdrom (disc 2 of K12LTSP 3.0.0) and double
> >click on squidguard's RPM (and hope that the package manager will
correctly
> >install squid, too)?
>
> >From the menu select System Settings -> Packages
>
> That will bring up a "Add or Remove Packages" program that is the
functional
> equivilent of the "package selection" section of the installer.  You can
> click on the "Details" link to the right of the Web Server option and
> select just squidGuard if you don't want the rest of the web packages.
>
> >Once that's done, then just add the "redirect" line to the squid.conf
file
> >right?
>
> To enable squidGuard with the default settings, that's correct.
>
> >Then, restart squid.  And, ba-da-bing!  Right?  Then, tell my browser to
use
> >the proxy on the LTSP box (192.168.0.254, port 3128).  And all should be
> >blocking, eh?
>
> If you want *all* blocked, just firewall off port 80! <just joking!>
>
> >If I want transparent proxy-ing, just add a few more lines to the
squid.conf
> >and an iptables PREROUTING command to my system initialization file,
right?
>
> If you want to do transparent proxying, you MUST do it on a seperate
> server.  You cannot do it on the same server that is providing terminal
> services (well, it *can* be done, but it is serious black-magic that
> requires a custom kernel to be built).
>
> >But, it's not completely correct for me!!!  It will block access to
> >"playboy.com", but not "allmp3s.com" - BOTH are in the blacklists!! Why
> >isn't this working?
>
> allmp3s.com is in the audio-video category, which is not blocked by
> default. The *available* databases are located in
/var/squidGuard/blacklists/
> but they must be specificed in the acl section of
/etc/squid/squidGuard.conf
> for them to be active. For example:
>
> acl {
>     default {
>         pass !audio-video all
>
> would only block what is in the audio-video database and permit everything
> else. If a category is not either explicitly listed (i.e. "local-ok") or
> explicitly blocked by pre-pending a '!" (i.e. "!local-block"), it is
> ignored by squidGuard.
>
> This is a feature, not a bug. It allows folks to block/unblock the
categories
> of their choice.
>
> I have some simple documentation on configuring squidGuard here:
>
> http://squidguard.mesd.k12.or.us/
>
> and the official squidGuard documentation is here:
>
> http://www.squidguard.org/config/
>
> >Can anybody just hold my hand through a correct install from scratch?
Just
> >tell me what steps to follow and I'll be your linux slave for ever (which
> >means absolutely nothing).
>
> Since you state that it will block playboy.com, it sounds like you have a
> working install.
>
> What you need help with is how to setup your network to fit your filtering
> needs. This is hardest part with any filter.
>
>
> If you want to do transparent proxying, you need to force all
internet-bound
> traffic through the proxy box. There are a number of ways to do this, the
> Squid website has detailed instructions on a number of ways to accomplish
> this:
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html
>
>
> Another method is to firewall off all out-bound port 80 traffic except
> from your squidGuard server. This way folks must go through the squidGuard
> server to get the web.
>
> You *can* run squidGuard on the same server that you are providing
terminal
> services, but your users can simply turn off the proxy settings to bypass
it.
> You can't firewall off out-bound port 80 connections for the terminal box
in
> this case because you'll firewall off squid itself.
>
> -Eric
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]