HOWTO: Install Dansguardian on a single desktop

[tonhou]

Dansguardian does an outstanding job of web content filtering to protect from rubbish on the internet. This howto is a synthesis of information taken from:
http://www.pilpi.net/journal/item-985.php

Setting up Dansguardian using Tinyproxy and Firehol on Ubuntu/Edubuntu

1. Ensure "universe repository" is activated and install packages:
sudo apt-get update
sudo apt-get install dansguardian tinyproxy firehol

Note: will probably need to reinstall dansguardian to overcome clamav config errors.

2. Edit: sudo gedit /etc/dansguardian/dansguardian.conf

a) Add comment (#) to:
#UNCONFIGURED

b) Turn off virus checking (if not wanted):
virusscan=off

c) Check that the following are set:
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

d) Save & exit.

e) Run:
sudo dpkg-reconfigure dansguardian

3. Edit: sudo gedit /etc/firehol/firehol.conf

Add all of the following at the start of the document:

iptables -t filter -I OUTPUT -d 127.0.0.1 -p tcp --dport 3128 -m owner ! --uid-owner dansguardian -j DROP

transparent_squid 8080 "root root"

interface any world
policy drop
protection strong
client all accept
server cups accept
#server webcache accept

Note: will need to remove "interface any world . . ." further on in the document.
Note: uncomment "server webcache accept" if this dansguardian system is going to filter others on a network BUT do not then connect directly to the internet as this is opening it wide open for anyone to access!

4. Edit: sudo gedit /etc/default/firehol

START_FIREHOL=YES

This is to allow restarting of the firewall.

5. Edit sudo gedit /etc/tinyproxy/tinyproxy.conf

Change/add the following lines (by scrolling through the document):
User root
Group root
Port 3128
ViaProxyName "tinyproxy"

6. Restart each program:

sudo /etc/init.d/tinyproxy restart
sudo /etc/init.d/firehol restart
sudo /etc/init.d/dansguardian restart

7. Dansguardian should now be operational blocking objectional sites using any browser!

** EDITED INFORMATION ** I have edited this to include the use of these instructions for not only a single desktop but also for other systems (including Windows boxes) to point to such a configured box on a network and be filtered. This requires the addition of the last line in firehol.conf as above "server webcache accept".

The other systems must have their proxy settings set in the browser to point to the ip address of the dansguardian system and port 8080.

In Firefox:
Edit -> Preferences -> General -> Connection Settings -> Manual proxy configuration

Check manual proxy configuration and add “your DG box ip address” in first box and “8080” in second
Then tick “Use this proxy server for all protocols”

These settings can be locked, instructions are available below to do this:

Modify the file sudo gedit /usr/lib/firefox/firefox.cfg

by adding the following:

lockPref("network.proxy.http", "127.0.0.1");
lockPref("network.proxy.http_port", 8080);
lockPref("network.proxy.type", 1);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");

PLEASE NOTE: The dansguardian system that is doing the filtering on your network using this configuration CANNOT be connected directly to the internet - very important!!

[shanepardue]

wow!! thanks for that howto!! i've been looking everywhere for that kinda thing!! you don't even need to configure the browser with the proxy or anything?

[andytof47]

just one problem when i follow this guide my browser can't connect but things like gaim and my email programme can connect??? anyone able to help m,e?

[Athanasius]

I am having the same problem, it seems to block everything

[tonhou]

Sorry that it is not working for you guys! I'm afraid I don't really know what the issues are. It has worked for me on around 6 systems that I have set up. I have also done other enhancements - added lines to dansguardian configuration to block undesirable image searches and also locked firefox browser settings to stop use of secure proxy sites.

Could you check that each of the three programs are running. In a terminal:

ps auxf

Also you may like to look at this post where there is a similar approach with some different configuration:

http://ubuntuforums.org/showpost.php...7&postcount=21

--Tony

[Athanasius]

I am sorry, it is actually working VERY well and now I just have to tinker with the filters.
Thenk you for the HowTo, I have been looking for someting like this for months!

[tonhou]

Glad that it is working!

Here are some changes that I have made to filters etc. for searching images and also for stopping access to secure proxy sites.

1. Modify the file /etc/dansguardian/bannedregexpurllist

by uncommenting (remove #) so that it looks as it is below:

#Block unfiltered options on various search engines
(^|[\?+=&/])(.*\.google\..*/.*\?.*safe=off)([\?+=&/]|$)
(^|[\?+=&/])(.*\.alltheweb.com/customize\?.*copt_offensive=off)([\?+=&/]|$)

#Block images on altavista, alltheweb, yahoo etc - as they are anonomised
(yahoo.com\/image\/)
(yimg.com\/image\/)
(altavista.com\/image\/)
(altavista.com\/video\/)

AND/OR modify the file /etc/dansguardian/bannedphraselist

by adding the following:

#-----
# Google
< safesearch is off >,< about google >,< Advanced&nbsp;Image&nbsp;Search>
# Yahoo
< safesearch is off >, < images >
# Dogpile, Excite, Webcrawler
< likely to contain adult content >,< results with adult content >
# AlltheWeb
<offensive content filter is off>,<results with offensive content>
#-----

These stop adult/offensive images if safe search is turned off for an image search engine.

2. Change firefox preferences to stop use of secure proxy sites to gain access to blocked sites:

For Firefox:

Modify the file sudo gedit /usr/lib/firefox/firefox.cfg

by adding the following:

lockPref("network.proxy.http", "127.0.0.1");
lockPref("network.proxy.http_port", 8080);
lockPref("network.proxy.type", 1);
lockPref("network.proxy.no_proxies_on", "localhost, 127.0.0.1");

This will lock the proxy settings in firefox preferences if it is considered necessary to block access to secure proxy sites such as :
https://proxify.com
(these provide an unfiltered gateway out!)

Please note that the firefox.cfg file is overwritten each time there is a firefox update!!
--Tony

[tonhou]

Another simple to setup filtering option if you use Firefox is to use the extension blockxxx. Unfortunately it has not been available for Firefox 1.5 but here is an updated version:

http://cvs.linex.org/blockxxx-0.4.1-fx.xpi

To install go to File -> Open File (and point to where blockxxx is downloaded to).
It seems to do a reasonable job with the default lists, but needs extra blocking URL's to stop/tighten search engine changing of preferences. I have also imported a larger list of blockable words.

--Tony

[tonhou]

I recommend the script that automatically installs dansguardian (with firehol & tinyproxy - as above) along with a smart graphical front end to change filters that has been put together by Jereme found here:

http://www.ubuntuforums.org/showthread.php?t=237355

--Tony

[cspaz]

Quote:

Originally Posted by tonhou I recommend the script that automatically installs dansguardian (with firehol & tinyproxy - as above) along with a smart graphical front end to change filters that has been put together by Jereme found here: http://www.ubuntuforums.org/showthread.php?t=237355 --Tony

Can you get just the gui frond end? I've followed the above howto and have dansguardian working properly, but a gui tool for configuration would be nice.