>>= Dansguardian =

<<NachdemNach>> <<dem >>ich schon viel in eurem <<WikiWinki>> gelesen habe, muß ich auch
mal etwas <<zurückzurük>> geben (habe ich schon viel zu lange vor mir her
geschoben)

=== Was ist das <<eigentlicheigendlich>> ===

Dansguardian ist ein <<Tranparentproxy,Tranparentproxy>> <<derder,>> den <<Inhaltinhalt>> der <<WebseiteWebseite,>>
<<und >>nicht nur <<- >>wie <<allgemeinalgemein>> üblich <<- >>die URL nach <<Begriffenbegriffen>> filtert.

zu bekommen ist er unter<< [http://dansguardian.org/]>>
<<http://dansguardian.org/>>
Er steht unter GPL ist aber für den <<kommerziellenKommerziellen>> <<Einsatzeinsatz>>
gebürenpflichtig


=== Einrichten von Dansguardian auf Suse 8.1 ===

Es reicht aus wenn ihr die Radhat rpm nehmt und auf der <<Maschinemaschine>>
einspielt! <<Ihrihr>> könnt es auch selber <<Kompilieren.Kompeliren>> <<Derder>> <<Befehlbefehl>> dazu
steht in der <<Readme!Readme!,>> <<Wennwenn>> ihr es als rpm <<installiert,installirt>> <<damm >>müßt ihr
noch das cgi von /var/www/cgi-bin/ nach /srv/www/cgi-bin/
verschieben <<.>>

=== <<KonfigurierenKonfiguriren>> ===

<<DieDin>> Konfiguration ist <<eigentlicheigendlich>> soweit <<fertig.fertig>> <<Esnurnoch>> <<sind nur >>einige
<<Anpassungenanpassungen>> sind zu machen!

 # Web Access Denied Reporting (does not affect logging)
 #
 # -1 = log, but do not block - Stealth mode
 #  0 = just say 'Access Denied'
 #  1 = report why but not what denied phrase
 #  2 = report fully
 #  3 = use HTML template file (accessdeniedaddress ignored)
 reportinglevel = 3

<<
>>  # HTML Template file path.
 # Only used when reportinglevel is set to 3.
 # When used, DansGuardian will display the HTML file instead of
 # using the perl cgi script.  This option is faster, cleaner
 # and easier to customise the access denied page.
<<
>>  htmltemplate = '/etc/dansguardian/template.html'

<<
>>  # Logging Settings
 # 0 = none  1 = just denied  2 = all text based  3 = all requests
 loglevel = 2

<<
>>  # Log Exception Hits
 # Log if an exception (user, ip, URL, phrase) is matched and so
 # the page gets let through.  Can be useful for diagnosing
 # why a site gets through the filter.  on | off
 logexceptionhits = on

<<
>>  # Log File Format
 # 1 = DansGuardian format        2 = CSV-style format
 # 3 = Squid Log File Format      4 = Tab delimited
 logfileformat = 1

<<
>>  # Network Settings
 #
 # the IP that DansGuardian listens on.  If left blank<<
>>DansGuardian will
 # listen on all IPs.  That would include all NICs, loopback,<<
>>modem, etc.
 # Normally you would have your firewall protecting this, but if<<
>>you want
 # you can limit it to only 1 IP.  Yes only one.
 filterip =

<<
>>  # the port that DansGuardian listens to
 # It needs to be greater than 1024
 filterport = 8080

<<
>>  # the ip of the proxy (default is the loopback - i.e. this<<
>>server)
 proxyip = 127.0.0.1

<<
>>  # the port DansGuardian connects to proxy on
 proxyport = 3128

<<
>>  # accessdeniedaddress is the address of your web server to which<<
>>the cgi
 # dansguardian reporting script was copied
 accessdeniedaddress =<<
>>'http://192.168.2.1/cgi-bin/dansguardian.pl'

<<
>>  # Content filtering files location
 bannedphraselist = '/etc/dansguardian/bannedphraselist'
 exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
 weightedphraselist = '/etc/dansguardian/weightedphraselist'
 bannedsitelist = '/etc/dansguardian/bannedsitelist'
 exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
 exceptionurllist = '/etc/dansguardian/exceptionurllist'
 bannedurllist = '/etc/dansguardian/bannedurllist'
 bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
 bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
 bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
 bannediplist = '/etc/dansguardian/bannediplist'
 exceptioniplist = '/etc/dansguardian/exceptioniplist'
 banneduserlist = '/etc/dansguardian/banneduserlist'
 exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
 picsfile = '/etc/dansguardian/pics'
 contentregexplist = '/etc/dansguardian/contentregexplist'

<<
>>  # messages file for internationalisation.
 languagefile = '/etc/dansguardian/messages'

<<
>>  # Weighted phrase mode
 # There are 3 possible modes of operation:
 # 0 = off = do not use the weighted phrase feature.
 # 1 = on, normal = normal weighted phrase operation.
 # 2 = on, singular = each weighted phrase found only counts once<<
>>on a page.
 weightedphrasemode = 2

<<
>>  # Naughtyness limit
 # This the limit over which the page will be blocked.  Each<<
>>weighted phrase is given
 # a value either positive or negative and the values added up. <<
>>Phrases to do with
 # good subjects will have negative values, and bad subjects will<<
>>have positive
 # values.  See the weightedphraselist file for examples.
 # As a guide:
 # 50 is for young children,  100 for old children,  160 for young<<
>>adults.
 naughtynesslimit = 50


 # Show weighted phrases found
 # If enabled then the phrases found that made up the total which<<
>>excedes
 # the naughtyness limit will be logged and, if the reporting<<
>>level is
 # high enough, reported. on | off
 showweightedfound = on


 # Positive result caching for text URLs
 # Caches good pages so they don't need to be scanned again
 # 0 = off (recommended for ISPs with users with disimilar<<
>>browsing)
 # 100 = recommended for schools
 urlcachenumber = 100
 #
 # Age before they are stale and should be ignored in seconds
 # 0 = never
 # 300 = reccomended
 urlcacheage = 300
 # Reverse lookups for banned site and URLs.
 # If set to on, DansGuardian will look up the forward DNS for an<<
>>IP URL
 # address and search for both in the banned site and URL lists. <<
>>This would
 # prevent a user from simply entering the IP for a banned<<
>>address.
 # It will reduce searching speed somewhat so unless you have a<<
>>local caching
 # DNS server, leave it off and use the Blanket IP Block option in<<
>>the
 # bannedsitelist file instead.
 reverseaddresslookups = off

<<
>>  # Build bannedsitelist and bannedurllist cache files.
 # This will compare the date stamp of the list file with the date<<
>>stamp of
 # the cache file and will recreate as needed.
 # If a bsl or bul .processed file exists, then that will be used<<
>>instead.
 # It will increase process start speed by 300%.  On slow<<
>>computers this will
 # be significant.  Fast computers do not need this option. on |<<
>>off
 createlistcachefiles = on

<<
>>  # POST protection (web upload and forms)
 # does not block forms without any file upload, i.e. this is just<<
>>for
 # blocking or limiting uploads
 # measured in kilobytes after MIME encoding and header bumph
 # use 0 for a complete block
 # use higher (e.g. 512 = 512Kbytes) for limiting
 # use -1 for no blocking
 #maxuploadsize = 512
 #maxuploadsize = 0
 maxuploadsize = -1

<<
>>  # Max content filter page size
 # Sometimes web servers label binary files as text which can be<<
>>very
 # large which causes a huge drain on memory and cpu resources.
 # To counter this, you can limit the size of the document to be
 # filtered and get it to just pass it straight through.
 # This setting also applies to content regular expression<<
>>modification.
 # The size is in Megabytes - eg 2 = 2048Kb
 # use 0 for no limit
 maxcontentfiltersize = 1

<<
>>  # Username identification methods (used in logging)
 # You can have as many methods as you want and not just one.  The<<
>>first one
 # will be used then if no username is found, the next will be<<
>>used.
 # * proxyauth is for when basic proxy authentication is used (no<<
>>good for
 #   transparent proxying).
 # * ntlm is for when the proxy supports the MS NTLM<<
>>authentication
 #   protocol.  (Only works with IE5.5 sp1 and later).  **NOT<<
>>IMPLEMENTED**
 # * ident is for when the others don't work.  It will contact the<<
>>computer
 #   that the connection came from and try to connect to an identd<<
>>server
 #   and query it for the user owner of the connection.
 usernameidmethodproxyauth = off
 usernameidmethodntlm = off # **NOT IMPLEMENTED**
 usernameidmethodident = off

<<
>>  # Misc settings

<<
>>  # if on it adds an X-Forwarded-For: <clientip> to the HTTP<<
>>request
 # header.  This may help solve some problem sites that need to<<
>>know the
 # source ip. on | off
 forwardedfor = off

<<
>>  # if on it uses the X-Forwarded-For: <clientip> to<<
>>determine the client
 # IP. This is for when you have squid between the clients and<<
>>DansGuardian.
 # Warning - headers are easily spoofed. on | off
 usexforwardedfor = off

<<
>>  # sets the maximum number of processes to sporn to handle the<<
>>incomming
 # connections.  This will prevent DoS attacks killing the server<<
>>with
 # too many spawned processes.
 # On large sites you might want to double or triple this number.
 maxchildren = 120

<<
>>  # if on it logs some debug info regarding fork()ing and<<
>>accept()ing which
 # can usually be ignored.  These are logged by syslog.  It is<<
>>safe to leave
 # it on or off
 logconnectionhandlingerrors = off

=== Iptables zum umleiten auf den Transparentproxy ===

* Ändern der <<iptablesIpTables>> Regeln (unter suse kann man das in die<<
>>/etc/initd/boot.local eintragen)
 
 iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j<<
>>REDIRECT --to-port 8080
 # Alle Anfragen von Port 80 zum Port 8080 <<(dortdort>> arbeitet<<
DansGuardian>> <<DansGuardian) >>weiterleiten

<<
>>* Speren von Squid Port
<<
>>  iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j<<
>>DROP
 # Dmit keiner <<direktdireckt>> auf <<dendem>> <<Squidsquid>> kann und somit DansGuardian<<
>>umgeht

=== Ein Anfang ===

1. Squid <<KompilierenKopeliren>> mit der <<Optionoption>> "--enable-linux-netfilter"
2. Squid so <<einrichten,einrichten>> <<dassdas>> er läuft

Folgende Zeilen in der squid.conf ändern

 httpd_accel_host virtual
 httpd_accel_port 80
 httpd_accel_single_host off
 httpd_accel_with_proxy on
 httpd_accel_uses_host_header on

3a. Ändern der IpTables Regeln (unter suse kann man das in die<<
>>/etc/initd/boot.local eintragen)

 iptables -t nat -A PREROUTING -m tcp -p tcp --dport 80 -j<<
>>REDIRECT --to-port 8080

Alle Anfragen von Port 80 zum Port 8080 dort arbeitet DansGuardian<<
>>weiterleiten

Wenn <<manmall>> <<will,will>> kann <<manmann>> DansGuardian auch auf einer <<anderenAnderen>>
Maschine laufen lassen<<
>>
 iptables -t nat -A PREROUTING -m tcp -p tcp -s ! {DG's IP<<
>>ADDRESS} --dport 80 -j DNAT --to {DG's IP ADDRESS}:8080

Die "!" sind wichtig weil man nicht wie normal vom <<loopback looback
>>(127.0.0.1) aus geht

3b. Speren von Squid Port
<<
>>  iptables -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j<<
>>DROP

Das ist nötig damit keiner <<direktdireckt>> Squid als Proxy angeben kann und
so mit DansGuardian umgehen würde!

4. Default Gateway
<<Derder>> <<Recherrecher>> <<solltesolte>> als <<Standart-GatewayStandert>> <<server >>für den <<Intertnet-ZugangIntertnet zugang>>
eigerichtet <<werden.werder>> <<Dasdas>> kann im jedem <<Clientclient>> eingestellt werden oder
oder in der /etc/dhcp.conf

Das ist die Überbestzung mit einigen <<Anpassungenanpassungen>> an suse von
http://dansguardian.org/downloads/DGandTransparent.txt

=== Anmerkung ===

Leider muß ich selber ersteinmal <<fertigFertig>> <<werden.werden>> <<Aberaber>> ich <<hoffe,hoffe>> <<dassda>>
ich jetzt selber den Anfang gemacht habe <<unddas>> <<dass ich es auch fertig
schreibe.

AnsgarJazdzewski

----

Schön. :-) Sieht ja gut aus bisher. Willkommen im Club! Das Ding
kannte ich noch gar nicht, bin schon gespannt auf Deine Erfahrung.
Übrigens könnte es eine gute Idee sein, wenn Du einen User-Login
machen würdest. Dann kann man in RecentChanges besser sehen, wer
was geändert hat. Außerdem ist es üblich, dass sich jeder Benutzer
eine eigene Seite einrichtet, die den Usernamen als Titel hat.
Meine ist ThomasBayen, Deine sollte AnsgarJazdzewski sein. Dort
kannst Du dann was über Dich schreiben und andere können Dir
Kommentare dort hinterlassen (So wie dieser Absatz hier, den Du von
der DansGuardian-Seite wieder löschen solltest). -- ThomasBayen
<<
Für Debian gibt es DansGuardian in Sarge und Etch als fertige Pakete. --PeterHormanns

[{Tag Firewall}]