[Gllug] Proxy Server

Xander D Harkness xander at harkness.co.uk
Tue Nov 12 12:37:14 UTC 2002 


Mark Lowes wrote:

>On Tue, 2002-11-12 at 10:49, Ian Baillie wrote:
>[...]
>  
>
>>My Understanding:
>>>From previous emails, I seem to recall that I should use Squid for the
>>proxy/caching server, with squid-guard to perform the filtering and
>>iptables for firewalling.
>>    
>>
>
>Yup.
>
>  
>
>>Questions:
>>Can this setup be used in conjunction with a database e.g. mySQL to lookup
>>unsuitable sites, and redirect to a admin page stating the site is barred?
>>    
>>
>
>Bastard perl scripts looking for patterns in logs then feeding into a db
>of some form from which another bastard perl script rebuilds your
>firewall on a regular basis.
>
>Of course some hostile could use this automation against you and cause
>your system to firewall the whole internet :)
>
>  
>
>>Does anyone know of a suitable ban list?
>>    
>>
>
>Google is your friend, there are also block lists for squidguard linked
>from the homepage.
>
>As for ip blocking, no, it all depends on your local policy, what I
>consider to be too aggressive in my lists might be considered wide open
>from your POV.
>
>  
>
>>Is it okay to have the proxy/caching/firewall/database/filtering all on the
>>same machine?
>>    
>>
>
>For certain values of ok, yes.
>
>  
>
>>with filtering using cyberNot.  This is a school enviorment, so the
>>filtering needs to be pretty good.
>>    
>>
>
>*sigh*
>
>Easy.
>
>Block all incoming connections, punch holes incoming for the mail
>server.
>
>Block all websites, allow trusted admins to add sites to the allow list,
>when email goes live hook in spamassassin and make sure there's a strong
>AUP for the students to abide by or lose their access.
>
>In this situation go for 'tight as a ducks arse' filtering.
>
I deal with a number of schools,some use white lists, some use black lists.

The white lists are very difficult to maintain as you will often find a 
teacher has prepared a class at home to run though a number of web sites 
she has googled for, of which none are on the white list :-)

One of the first schools I set up uses a black list (This is a private 
and very privileged school).  I use privoxy to do the filtering which as 
a nice gui to add new sites.

I also run Calamaris as a nightly script and this reports on every URL 
requested.  If there are nasty ones there I created a small script that 
the teachers can find out who requested it.  All students and staff have 
to  log in to use the internet, using the same password as their mail 
and account logins.  All traffic is forced through the web proxy.

They get the picture very quickly that they will get caught if they are 
going to sites that they should not.

I also have exim set up with a couple of basic filters to freeze mail 
with unpleasant words in.  The frozen mail is copied to a teacher and 
the teacher uses eximon to unfreeze / delete once it has been checked.

It was quite a lot of work for the first few weeks until it settled down.  

They use a W2K box to carry the accounts and the linux boxes use 
smb_auth for email and passwords.  I have not managed to get Linux to 
automatically create an account if there is an account on the w2k box. 
 This means that at the end of the year there is extra work to do.  I am 
happy though that to add and remove accounts on the Linux box takes 
about ten minutes, the W2k box is a couple of days ;-)

Have fun.

Cheers
Xander

>
>  
>


-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list