Dansguardian

Reference

Documentation

• DansGuardian wiki (main site)
• Common Problems and their Solutions
• Config Files

Install tutorials

• Web content filtering made easy - Shadows of epiphany
• dansguardian (on contribs.org)
• DansGuardian (ubuntu.com)

Install

• See http://blog.bodhizazen.net/linux/web-content-filtering-made-easy/
• Install dansguardian along with privoxy

sudo apt-get install dansguardian privoxy

• Edit /etc/privoxy/config:

-listen-address localhost:8118
+listen-address 127.0.0.1:8118

• Restart privoxy

sudo service privoxy force-reload

• Edit /etc/dansguardian/dansguardian.conf

-UNCONFIGURED - Please remove this line after configuration
-

-proxyport = 3128
+proxyport = 8118

• Start dansguardian

sudo service dansguardian start

• Enable ufw

sudo ufw enable

• Edit iptables (using ufw). Edit /etc/ufw/before.rules:

-A ufw-before-output -o lo -j ACCEPT
+#-A ufw-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
 COMMIT

• Edit iptable (using ufw). Edit /etc/ufw/before6.rules:

-A ufw6-before-output -o lo -j ACCEPT
+#-A ufw6-before-output -o lo -j ACCEPT

+# Rules for Dansguardian
+
+-A ufw6-before-output -m owner --uid-owner root -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -m owner --uid-owner privoxy -j ACCEPT
+-A ufw6-before-output -p tcp -m multiport --dports 80,443 -j DROP
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner dansguardian -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -m owner --uid-owner baddreams -j ACCEPT
+-A ufw6-before-output -o lo -p tcp -m tcp --dport 8118 -j DROP
+-A ufw6-before-output -o lo -j ACCEPT

# don’t delete the ‘COMMIT’ line or these rules won’t be processed
 COMMIT

• Reload rules

sudo ufw reload

• Configure the proxies (note that root does not need this)

 export http_proxy=’localhost:8080′  # For children (apply as children user proxy, firefox proxy, etc)
 export http_proxy=’localhost:8118′  # For parents

Configuration

To reload dansguardian configuration:

sudo service dansguardian force-reload

Fix banned url regex. Edit /etc/dansguardian/lists/bannedregexpurllist

-(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)
+(sex|fuck|boob|...)+.*(\.jpg|\.wmv|\.mpg|\.mpeg|\.gif|\.mov)$

Hide error message when blocked. Edit file /etc/dansguardian/languages/ukenglish/template.html (or any other language in use)

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.2.22 Server</address>
</body></html>

Disable anti-virus

• dansguardian can filter content for viruses using clamav.To enable it (see [1], [2])

In dansguardian.conf, uncomment

#contentscanner = '/etc/dansguardian/contentscanners/clamdscan.conf'

In dansguardianf1.conf, adapt line as follow:

disablecontentscan = off

• To disable it, do the opposite, i.e., comment first line, and set disablecontentscan = on.

Adapt naughtyness_limit if necessary

• See [3]

White-list some sites

• Add them to /etc/dansguardian/lists/exceptionsitelist (see[4])
• Site to white-list:

mail.yahoo.com 
mail.yimg.com

... or grey-list some sites

• There are sites that are still keyword filtered
• Add them to /etc/dansguardian/lists/greysitelist

Fetch up-to-date black-list

• From urlblacklist.com
• Requires to explicit allow / forbid some categories (see [5])
• ... note that even though list can be easily downloaded, urlblacklist.com is a commercial service (and quite expensive in fact).

Troubleshooting

See log files

• View /var/log/dansguardian/access.log
• Search for keywords like *DENIED* — these explains in detail why a page is denied access.
• More information here

Advanced troubleshooting

• See [6]

To do and issues

• Add DNS filtering as first layer (see opendns or similar) ?
• What about HTTPS filtering? Filter based on host only (via dns filtering). How can we also filter the URL / content?

Requires intercepting proxy and adding a CA certificate to browsers.

• Redirect all Google queries to http://safesearchkids.com?
• Add extensions / plugins in the browser
• Add filters in ADSL router? (url filter, dns filter)