Jim Barrett on 4 May 2017 14:09:42 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Network Content Filtering

You could use a transparent proxy with squid, and dansguardian. This would require a server with 2 nic cards. If you're already using a linux box as a router, then the transparent proxy could be integrated into it.

Force all DNS traffic to a local DNS server (easy to do if all your boxes are configured through DHCP), and deny outbound dns traffic from the inside LAN (but allow the local DNS server to talk to outside). Create persistent local DNS records to point all known pornography site hostnames to localhost, or to a local server, maybe with a splash page that says something like "no"... I don't know of any "NSFW-site" lists out there but I'd be shocked if there wasn't a relatively inclusive list available somewhere online. This would prevent most "smut-only" sites from coming up, but then there's reddit, imgur, and other sites that have NSFW content as well as regular SFW content. For that you'd need to implement the MITM that Bill mentioned.

As a side note, there was a "Mike's Ad-blocking hosts file" that I've used in the past, and it did a *very* good job of blocking about 95% of ads on just about every site I visited. Here's something similar: http://someonewhocares.org/hosts/ ... It could easily be converted into a DNS zone file, using a perl script called h2n, https://github.com/tbrowder/h2n

--
Jim Barrett
Galloway, NJ


On Thu, May 4, 2017 at 3:57 PM, Bill East <wm.east@gmail.com> wrote:
To me, something like OpenDNS is a good baseline. It doesn't stop people determined to download the bad stuff but it takes care of the first 90% of the problem at a low cost. 

Transparent proxies are common now but keep in mind that without a client install you'll almost have to implement SSL MITM so that you can filter HTTPS. 

On May 4, 2017 3:32 PM, "Casey Bralla" <MailList@nerdworld.org> wrote:
I've got to set up a simple content filtering system for a SOHO network, and
could use some basic advice.   I'm exclusively worried about adult content,
but would appreciate any addition protections from malware, etc.

All my clients run linux workstations.

I assume I'll use a proxy server and something associated with squid, but
won't this mean I'll have to reset everyone's web browser to use the proxy?
Is there are (relatively simple) way to insert a proxy without having to
individually adjust each client?

Any other way to add content filtering?

I welcome suggestions, links to tutorials, etc.

TIA!
--

Casey Bralla
Chief Nerd in Residence
The NerdWorld Organisation
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug