Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: Re: [suse-security] Squid 2.4-STABLE-7 and DansGuardian ( P.S. )
  • From: BLeonhardt@xxxxxxxxxxx
  • Date: Tue, 13 Aug 2002 17:22:15 +0200
  • Message-id: <OFB09A4EEA.BA59D2BE-ONC1256C14.0053A11C-C1256C14.0053EDB4@xxxxxxxxxxx>
Hi,

thank's for your advice ...
... my config is like following now :

squid-2.4.x ( running on 3128 )
dansguardian ( running on 8080 )
prevent direct connections to 3128 with iptables

haven't configured about the web-interface but I think it's working ...

dansguardian.conf :

filterip = myinternalip ( not loopback )
prxyip = 127.0.0.1

I think it's working now correctly ... have added

application/pdf

to "/etc/dansguardian/bannedmimetypelist" and wasn't able to open such
files anymore ...

Regards / Mit freundlichen Grüßen
Bruno Leonhardt

CLP Domino R5 Systemadministrator

-----------
AnalyTek Systemhaus
Hospital Str. 2a
D-65589 Hadamar

Telefon : 06433/81403-15
Telefax : 06433/81403-40

Besuchen Sie uns im Internet unter : http://www.analytek.de





"Philippe Vogel" <filiaap@xxxxxxxxxx>
13.08.02 16:43


An: <BLeonhardt@xxxxxxxxxxx>
Kopie:
Thema: Re: [suse-security] Squid 2.4-STABLE-7 and DansGuardian ( P.S. )


>Have the problem, that if I deny images/* - the site will be displayed
>anyway ...
>... and if I deny .gif's - file-extension , the whole site won't be
>displayed ...

This makes no sense!
If you ban something, the whole site page with that content will be
banned.

>
>... it's even not working if I say in
/etc/dansguardian/bannedmimitypelist
>:
>
>application/*
>
>... have loaded an pdf-file directly over http ...
>
>why isn't that working have the port of DansGuardian set to 8080 and so
in
>my client in proxy-configuration ...

Dansguardian needs following: webserver, firewall, squid

First setup squid correctly.
e.g. set squid to 3128 and dansguardian to 8080.
let dansguardian use suid on 3128 and add the line

"Firewall-Server" should be setup like this:

internal net <-> Dansguardian <-> udp_outgoing_address <external ip
firewall> <-> Squid <->
udp_incoming_address <internal ip firewall> <-> internet

1) setup squid to

udp_outgoing_address <external ip>
udp_incoming_address <internal ip>

2) setup dansguardin to listen on 8080 on internal ip (look at bottom of
this mail)

3) copy files to apache and configure it running on your host

copy danguardian.pl to /usr/local/httpd/cgi-bin and chown root:root
chmod 755

4) setup firewall to redirect traffic from internal to external

/etc/rc.config.d/firewall2.rc.conf

#9.)
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_TCP="80 8080" <- add here what you want to be let throug
too
FW_SERVICES_INT_UDP="80 8080" <- add here what you want to be let throug
too

#15.)
FW_REDIRECT="$YOUR_LAN,0/0,tcp,80,8080"

$YOUR_LAN should look like $YOUR_LAN="192.168.168.0/24" for all ip's
from 192.168.168.0 - 255

5) block all incoming Traffic from extern to 8080 firewall (local access
from the firewall to external must be allowed)
block all incoming traffic from internal to 3128 on firewall

NO rules set for this ports in FW_SERVICES_INT and FW_SERVICES_EXT

Dansguardian:

Expressions for your lan could be 192.168.168.0/24 for all IP's within
192.168.168.0 - 255

$IPTABLES should contain the full path to iptables!

Configure the blocktypes and only block URLs!
Block Extensions only for malicious code.
I use: .ade .adp .bas .bat .cab .chm .cmd .com .cpl .crt .dll .eml .hta
.ins .isp .lnk .mdb .mde .msc .msi .msp .mst .ocx .pcd .pif .reg .url
.vb .vbe .vbs .wsc .wsf .wsh

As for Windows 2000 typical scripts/programms are executed as well with
other extensions!

For URL-blocking there are several uptodate lists on the dansguardian
homepage.

I only block porno-content.
Even here is a funny thing.
I blocked expressions, so assh***.jpg was banned or a page on ebay was
blocked because of a "false" meta-tag!
So setup expressionlist to your delight or do not use it.

It is not easy to get it running to your delight in 5 minutes.
You have to modify rules until the filter works fine!
It took me a week to get it working fine.

Don't forget to restart squid and dansguardian to take changes affect!

Philippe

P.S.:

#<file dansguardian.conf>

htmltemplate = /etc/dansguardian/template.html
filterip = yourinternalserverip
filterport = 8080
proxyport = 3128
proxyip = 127.0.0.1
accessdeniedaddress = http://yourwebserver/cgi-bin/dansguardian.pl
bannedphraselist = /etc/dansguardian/bannedphraselist
banneduserlist = /etc/dansguardian/banneduserlist
bannediplist = /etc/dansguardian/bannediplist
bannedextensionlist = /etc/dansguardian/bannedextensionlist
bannedmimetypelist = /etc/dansguardian/bannedmimetypelist
bannedsitelist = /etc/dansguardian/bannedsitelist
bannedurllist = /etc/dansguardian/bannedurllist
bannedregexpurllist = /etc/dansguardian/bannedregexpurllist
exceptionphraselist = /etc/dansguardian/exceptionphraselist
exceptionsitelist = /etc/dansguardian/exceptionsitelist
exceptionuserlist = /etc/dansguardian/exceptionuserlist
exceptioniplist = /etc/dansguardian/exceptioniplist
exceptionurllist = /etc/dansguardian/exceptionurllist
weightedphraselist = /etc/dansguardian/weightedphraselist
picsfile = /etc/dansguardian/pics
maxuploadsize = -1
#maxchildren = 120
maxchildren = 240
weightedphrasemode = 2
naughtynesslimit = 50
logexceptionhits = on
showweightedfound = on
reverseaddresslookups =
createlistcachefiles = on
usernameidmethodproxyauth = off
usernameidmethodident =
forwardedfor =
logconnectionhandlingerrors = on
logfileformat = 1
reportinglevel = 3

#</file>





< Previous Next >
This Thread
  • No further messages