How to set up a kidsafe filter on Sabayon Linux
This is a legacy article which does not meet some of our quality standards. While it may contain useful information, is retained here for legacy reasons only.[/alert]
Surprisingly something a number of people still don’t know about is that linux has a great parental / kidsafe web filter available free of charge. It can run on your machine or on another machine serving all your computers. It can run as an optional proxy (needing to change a setting in a browser) or as a mandatory system which forces all traffic on your lan or computer to run through it (doesn’t need any special browser settings otherwise called a transparent proxy). Best of all, it’s quite easy to set up.
Enter Dansguardian – The kidsafe web filter
This Howto is based on Sabayon, a Gentoo based distribution, but other than the package install, should be able to be easily adapted to other systems.
Installation
Remember: In Sabayon you have 3 different methods of package installation, emerge (gentoo method), Spritz (Sabayon Gui Method) and equo (sabayon console method). Personally, I’ve found spritz to not work alltogether and haven’t yet gotten equo running so this howto is based on emerge. The important thing is that no matter which method you use, don’t mix a Sabayon method with the gentoo method, stick to whatever you’ve already been doing or it will stuff up the package database.
You basically need two packages, squid and Dansguardian. In Sabayon you can just sync up your repositories via emerge –sync, then install them via emerge squid and emerge dansguardian. If you have another distro it will be in it’s package manager (such as YaST) for openSuSE for sure. Source code can be obtained from http://dansguardian.org/?page=download2
Configuration – Squid
Edit the squid.conf file with your favourite editor
# vi /etc/squid/squid.conf
In the gentoo/sabayon version of squid that came down from emerge I got some sensible defaults, however if you’re feeling picky or it’s different for you, remove the three lines that say:
acl localnet src 10.0.0.0/8Â Â Â Â # RFC1918 possible internal network
acl localnet src 172.16.0.0/12Â # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
and add a line that says:
acl localnet src 192.168.1.0/24
Remember to substitute your local network address range above with a 0 on the end.
Search for the visible_hostname Tag and add a line underneath #none so that it looks like this:
#Default:
# none
visible_hostname localhost
Save your squid.conf file and start squid as root
# /etc/init.d/squid start
# /etc/init.d/squid start
squid                  | * Initializing cache directories …           [ ok ]
squid                  | * Starting squid …                           [ ok ]
For some reason, on the latest version of Sabayon I had to install libwww to get squid to start. So if you get an error like this, “usr/sbin/squid: error while loading shared libraries: libmd5.so.0: cannot open shared object file: No such file or directory” then run # equo install libwww.
Configuration – Dansguardian
Configuration is done in the file/etc/dansguardian/dansguardian.conf
In Sabayon/Gentoo, no configuration is needed, just start the service as root
** Update 5-11-09**
In latest version of Sabayon I had to edit the line that reads “originalip = on” and change it to off to get it to work. You probably will too as this is currently a feature that is not fully tested but enabled by default by the Gentoo/Sabayon devs.
** End of Update**
If you want you can edit the file so that your domain name shows up in the page:
- vi /etc/dansguardian/dansguardian.conf
Change accessdenied webpage from YOURSERVER.YOURSITE to IPADDRESS and save the file
# /etc/init.d/dansguardian start
dansguardian           | * Starting DansGuardian …                    [ ok ]
A
If you want to add log rotation add the following:
Edit the crontab file
- vi /etc/crontab
- add the line 59 23 * * sun /etc/dansguardian/logrotation – adds a command to rotate the logs into the task schedule
Making Squid and Dansguardian start automatically at boot time
You will no doubt want it to all start automatically each time the computer/server is started or restarted, to do this, see below:
# rc-update add squid default
* squid added to runlevel default
# rc-update add dansguardian default
* dansguardian added to runlevel default
The Browser
Don’t forget to set in your browser:
Proxy server = your ip address: Port 8080
Use this proxy server for all protocols if you like.
Now test it by going to a website like www.playboy.com, if it’s working you should be presented by a Dansguardian Access Denied web page.
Preventing children (and others) from Disabling the Kidsafe Web Filter
The restrictions created by a content-filtering proxy can be easily circumvented by simply not using the proxy. Assuming that the users so restricted do not have administrative access, this can be prevented as follows:
Edit /usr/lib/firefox/firefox.cfg and add the following entries:
lockPref("network.proxy.http","127.0.0.1");
lockPref("network.proxy.http_port",8080);
lockPref("network.proxy.type,1);
lockPref("network.proxy.no_proxies_on","localhost,127.0.0.1
Sources
http://slack-tux.org/howto/setup-content-filtering-with-dansguardian/
Nice to see my HOWTO adapted to another distribution. Glad it could be helpful!
I notice the source links at the bottom aren’t clickable. Would you be able to update those? Copy-and-paste links are so 1999. ;p
Did you run into any snags with the build on Sabayon? On Debian, I had to tweak some of the path information before it would compile properly. Haven’t tried it on Gentoo myself.
Heh, sometimes the simple things are overlooked, let me fix that 🙂 No snags at all found, maybe I was lucky. Generally I’ve found gentoo compiling to be quite straight forward mostly, considering that is the lifeblood of the distro I suppose it’s fairly important to get that bit right 🙂 I used to run it on OpenSuSE and that was much harder to setup. Sabayon really does get the painful Gentoo stuff out of the way for you.
Thanks!
Might also want to revise the firefox.cfg bit to align with the bit under “The Browser”. One suggests “your IP address”, the other sets it to localhost. Not wrong, but made me do a quick re-read.
Actually, you could probably drop the section on setting the browser, since those config settings will override anything you set there anyways. No sense setting something that won’t be used… though I suppose both sections cover two different uses. One for basic configuration, the other for dealing with users who would circumvent that simple setup.
I’m not sure which is better, what do you think?
Yeah, I did it in a bit of a rush. I’ve decided rather than documenting everything on my personal computer, I may as well do it online and give others the benefit of the searching, plus I don’t have to worry about backups etc 😉 I think I might have to migrate some of my other stuff here too. I’ll have a look at your point and see how it can be tidied as you suggest. Thanks for the feeback!
Yeah, that’s sort of the mindset I follow when writing at http://www.slack-tux.org/ . If I search for something because I either don’t know it or don’t remember it, and I can’t find a good source (that doesn’t require digging through 16 pages of forum discussion, or combining information from 2-3 different sources), I write a quick HOWTO. I guess the theory is that if I searched for it, there’s probably someone else who would too.
Happy to provide any feedback I can. You’re added to my RSS reader now. I look forward to see what else you do!
Heh, I’m in your RSS reader?! I do feel priviliged! I like your dual wan article, might consider that sometime, kinda useful as most smaller ISP’s will only give one fixed IP per connection here. I’m doing my head in with SSL certificates and Novell OES, Groupwise, iFolder etc at the moment. I can’t believe they autoexpired after only 2 years. If I could find a good opensource linux based mail server I’d migrate to it in a second. It’s tricky when you’ve got a few people hanging off the end of it though, plus I LOVE iFolder 🙂
Heh, thanks. The Dual WAN HOWTO ( http://www.slack-tux.org/howto/setup-dual-wan/ )was what kicked off the site, really.
For BitTorrent users, it’s great. Most ISPs (here in Western Canada at least) offer crap for upload rates, with the upstream being about the same across most plans. Someone who wanted to seed faster could grab a cheap second connection, and boost that upload speed.
I’m not generally a torrent user (though I do use it to fetch Linux images), but it’s also great for Linux-based routers.
With regards to your mail serving needs, what requirements do you have? There are some very robust mail servers available for Linux. Check under mail-mta or net-mail in Portage.
iFolder is open-source, right? Have you tried installing it on Sabayon / Gentoo? OES is still Linux, right? (unless you’re using a NetWare kernel…) It should be possible (though who knows what manner of hackery will be required).
It’s funny how different the countries are with the broadband, here, we’ve only recently got decent speeds, and when I mean decent I’m talking 200-300kbps via dsl. You can get faster if you’re a big corporate but generally internatinoal bandwidth links / how many people are using it = slow speed. Plus the cheapest rate we have is $1 per GB, you can imagine how seeding effects us here with that kind of rate, and it get’s much, much worse!
Mail server needs to run Windows / Linux clients (phones would be nice too), be linux based on the server end and be a true workgrouping client/server mail server (so like exchange, groupwise etc that you can trash your client, log on at another one and have your mail pulled back down off the server). We don’t own outlook so ideally should have it’s own (or free alternative) windows based client like groupwise does. I’m thinking this might become another article on here considering how hard it seems to get a decent product. Scalix looks interesting, though it seems I need to purchase outlook for windows which would probably be almost the same cost as Novell’s full open workgroup suite (it’s quite cheap) which includes supported OS, office suite, mail suite among other things. I’ll have a look in those categories you mentioned, thanks!
Yeah iFolder is open source nowadays thanks to Novell, however it does require mono and a few dependencies, there’s a gentoo portage overlay for it but it’s out of date and doesn’t work. Since Novell like Gnome for some reason and I like KDE it get’s a bit painful at times too. Yep OES is linux, (Open Workgroup Suite). Has some really nice stuff in it, their NSS file system for example, has eDirectory etc. I really wish their marketing and documentation would come up and bash MS about a bit, but somehow Novell consistenly lose those battles.
So if you know any mail systems that meet those requirement, I’d be grateful if you let me know 🙂 I see openexchange isn’t really open any more, I might just have to pay Novell, at least there’s a support option included. 🙂