Hello,

I recently purchased a new ASUS Eee Netbook computer with the LINUX OS. I access
the internet via my home personal connection to the internet. Comcast is my ISP
and does not ofer any firewall like content blocking applications. It is not
associated with any business, or educational organization. However when I
attempt to go to web sites that are totaly free of any "questionalble" content I
get notification from GansGuardian that the content is being blocked becaused of
"Portugese Pornography", or "German Pornagrphy" when in fact there is not bad
content.

How do I DansGuardian from blocking simple "clean" websites?

ASUS says the problem is with Comcast. Comcast says the problem is with ASUS.

What do I do?

The FTM program from ancestry loses its internet connectivity when I install
DansGuardian on my IPCop firewall using copplus 3.0.2.

Uninstalling DansGuardian restores connectivity.

I gather I am not alone with proxy problems with this program, e.g.
http://boards.ancestry.com/topics.software.famtreemaker/3116.1.2.1.1.1.1.1.1.1.2\
/mb.ashx.

Since the machine with FTM does not need to be filtered I added it to the
excluded IP list.  Even so DansGuardian is doing something that makes FTM
unhappy.

Personally I think FTM is at fault.  I'm not sure what none HTTP things it is
doing through port 80 but it really ought to do it in a way that works through
firewalls/proxies/filters.

However excluding an IP from being filtered with DansGuardian is not working
quite as I'd expect.  I'd expect an excluded IP to function as if DansGuardian
wasn't there.

Has anyone encountered this or a similar problem and found a solution?

Michael

I've searched the archives and was unable to find the answer to my question.

I'm using NTLM authentication on Squid for every client and have it enabled on
Dansguardian (which all works great).  Now I've put in an ACL that bypasses the
authentication for certain sites using url_regex.  The reason being because a
Java applet does not have the ability to authenticate to the proxy and therefore
fails to work and
breaking the site.

Once I put this ACL in, authentication is bypassed (as evident in the logs) for
those particular websites, but when I access an SSL enabled site in the list, it
fails to load the
page.  If I take Dansguardian out of the loop and just use Squid, the ACL works
just fine and authentication is bypassed for both HTTP and HTTPS sites.

Therefore, something is going wrong between Squid and Dansguardian when
authentication is bypassed AND accessing a SSL-enabled site.  I can't figure out
what I can do
to get it to work and wondering why it is only HTTPS sites.  Any help would be
greatly appreciated.

--Anthony

Hello,

I'm facing a problem where the internal usage of a foreign exchange application
using HTTPS through DG proxies does not work.
I'm little bit stuck as there are very few logging or debug information
available to trace the problem.

I'm using DG V2.10.0.3 chained to Squid 2.7.STABLE6
The failing application is called CitiFX
Velocity:http://www.e-forex.net/news/e-FX+News/21105/Citi+launches++CitiFX+Veloc\
ity

The symptom is that the client application cannot establish a successfull
connection to its target server but DG does not log or show any evidence of some
denial or problem. By configuring the application to go through Squid directly
(bypassing DG), it works without any problem.

I checked my different DG rules for possible denials, created exception for the
target site and finaly made a test environement with no denial rules at all but
the problem is still present.

By snooping on the proxy with tcpdump and on the PC where the client application
is installed, the only thing i noticed is:

Trace between the client and the proxy:

> CONNECT prod.citifxvelocity.com:443 HTTP/1.1
> HOST: prod.citifxvelocity.com:443
< HTTP/1.0 200 Connection established

Trace between the proxy and the target server (via Squid):

> CONNECT prod.citifxvelocity.com:443 HTTP/1.0
> HOST: prod.citifxvelocity.com:443
Proxy-Connection: close
X-Forwarded-For: 10.10.1.1

Notice the HTTP protocol version change!
Does DG not honor the Proxy-Connection: Keep-alive header?

Thanks for any clue or help

Cheers
Clark

Hi , interesting :)
can i test the patch too ?

have a nice day

As to your problem...

You should check to see that squid and dansguardian are listening on the
correct ports... try:
  netstat -a|grep LISTEN|awk '{print $4 " " $7}'
You should get something like:

**:http-alt *
*:ssh
*localhost:3128 *
[::]:ssh


I am not using transparent mode so I would guess that the line that says
http-alt on your system should be: http
The output above is saying that my system is listening to port 8080
(http-alt) for web requests from anywhere which is dansguardian and it is
listening on port 3128 for requests only from local host (which is squid).
  Your system should show request from anywhere on port 80 (http) and port
3128 (squid) for localhost.  You may also be listening on https...

If this netstat command looks fine then next you need to try to connect to
the listening port from another machine, this will check your firewall
rules.  If you get "connection refused then you have a problem with your
firewall rules.
Try telnetting into your server and port for example on my machine I get:

$ telnet 10.22.88.204 8080
Trying 10.22.88.204...
Connected to 10.22.88.204.
Escape character is '^]'.


As to only one NIC:

I have never tried using a router with only one NIC.  I would highly
recommend a second NIC!

If your using a firewall with only one NIC then you have to be routing
through a single interface.

If you are using a desktop or tower machine then I recommend one of these:
Low Profile 8139 chipset NIC:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833114006&cm_re=8139-_-33-\
114-006-_-Product
Standard 8139 chipset NIC:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833166004&cm_re=8139-_-33-\
166-004-_-Product

*
Both are very inexpensive and I have used both with IPCop, Smoothwall &
Debian, they will work without installing any drivers etc.

There are also USB or PCMCIA NIC's that can work with Linux if you don't
have a PCI port to install a NIC in.*





On Mon, Nov 23, 2009 at 12:15 PM, navin <navinsmd@...> wrote:

>
>
> Hi,
>
> I have configured transparent proxy with squid + dansguardian .
>
> squid-3.1.0.14-1.fc12.i686
> dansguardian-2.10.1.1-3.fc12.i686
>
> I a ADSL router and only one NIC in the squid server and firewall also
> reside in the same system.
> but seems transparent proxy with dansguardian is not working.
>
> i am geeting the error 'Proxy server is refusing connection'
>
> Please find the settings of squid.conf, dansguardian.conf and iptables
> rules .
>
> ==================== squid.conf ================
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> cache_effective_user squid
> cache_effective_group squid
>
> visible_hostname = testsquid
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 127.0.0.1:3128 transparent
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> =============================================================
>
> ===================== dansguardian.conf ======================
> daemonuser = 'nobody'
> daemongroup = 'nogroup'
> softrestart = off
>
> mailer = '/usr/sbin/sendmail -t'
> filterport = 8080
> proxyip = 127.0.0.1
> proxyport = 3128
>
> filtergroups = 1
> #filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
>
> bannedurllist = '/etc/dansguardian/lists/blacklists/adult/urls'
> bannedsitelis = '/etc/dansguardian/lists/bannedsitelist'
>
> # Authentication files location
> bannediplist = '/etc/dansguardian/lists/bannediplist'
> exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
>
> ==============================================
>
> ============= iptables =================
>
> cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
> *nat
> :PREROUTING ACCEPT [2340:786600]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
> COMMIT
> # Completed on Sun Nov 22 23:19:13 2009
> # Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
> *filter
> :INPUT ACCEPT [21835:26349924]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [16173:1198341]
> COMMIT
> # Completed on Sun Nov 22 23:19:13 2009
>
> ============================================================
>
> [Non-text portions of this message have been removed]
>
>
>



--
Sincerely,
Joshaven Potter

"No man making a profession of faith ought to sin, nor one possessed of love
to hate his brother. For He that said, “Thou shalt love the Lord thy God,”
  said also, “and thy neighbor as thyself.”  Those that profess themselves to
be Christ’s are known not only by what they say, but by what they practice.
“For the tree is known by its fruit.”" -- Ignatius


[Non-text portions of this message have been removed]

Try changing "-j REDIRECT --to-ports 8080" to "-j DNAT --to-destination
127.0.0.1:8080". "man iptables" to reference this. Also, it might be
better to just "-A POSTROUTING -m tcp -p tcp --dport 3128 -j
REJECT"...i'm worried your 3128 redirect on OUTPUT might be messing up
dansguardian talking to squid...not sure, though.

Regards,
Andrew

navin wrote:
>
>
> Hi,
>
> I have configured transparent proxy with squid + dansguardian .
>
> squid-3.1.0.14-1.fc12.i686
> dansguardian-2.10.1.1-3.fc12.i686
>
> I a ADSL router and only one NIC in the squid server and firewall also
> reside in the same system.
> but seems transparent proxy with dansguardian is not working.
>
> i am geeting the error 'Proxy server is refusing connection'
>
> Please find the settings of squid.conf, dansguardian.conf and iptables
> rules .
>
> ==================== squid.conf ================
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32
> acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
> acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
> acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
> acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
> acl SSL_ports port 443
> acl Safe_ports port 80        # http
> acl Safe_ports port 21        # ftp
> acl Safe_ports port 443        # https
> acl Safe_ports port 70        # gopher
> acl Safe_ports port 210        # wais
> acl Safe_ports port 1025-65535    # unregistered ports
> acl Safe_ports port 280        # http-mgmt
> acl Safe_ports port 488        # gss-http
> acl Safe_ports port 591        # filemaker
> acl Safe_ports port 777        # multiling http
> acl CONNECT method CONNECT
>
> cache_effective_user squid
> cache_effective_group squid
>
> visible_hostname = testsquid
>
> http_access allow manager localhost
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 127.0.0.1:3128 transparent
> hierarchy_stoplist cgi-bin ?
> coredump_dir /var/spool/squid
> refresh_pattern ^ftp:        1440    20%    10080
> refresh_pattern ^gopher:    1440    0%    1440
> refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
> refresh_pattern .        0    20%    4320
>
> =============================================================
>
> ===================== dansguardian.conf ======================
> daemonuser = 'nobody'
> daemongroup = 'nogroup'
> softrestart = off
>
> mailer = '/usr/sbin/sendmail -t'
> filterport = 8080
> proxyip = 127.0.0.1
> proxyport = 3128
>
> filtergroups = 1
> #filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'
>
> bannedurllist = '/etc/dansguardian/lists/blacklists/adult/urls'
> bannedsitelis = '/etc/dansguardian/lists/bannedsitelist'
>
> # Authentication files location
> bannediplist = '/etc/dansguardian/lists/bannediplist'
> exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'
>
> ==============================================
>
> ============= iptables =================
>
> cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
> *nat
> :PREROUTING ACCEPT [2340:786600]
> :POSTROUTING ACCEPT [0:0]
> :OUTPUT ACCEPT [0:0]
> -A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
> -A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
> COMMIT
> # Completed on Sun Nov 22 23:19:13 2009
> # Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
> *filter
> :INPUT ACCEPT [21835:26349924]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [16173:1198341]
> COMMIT
> # Completed on Sun Nov 22 23:19:13 2009
>
> ============================================================
>
> [Non-text portions of this message have been removed]
>
>

--
Andrew Vandever
andrew.vandever@...
http://www.avcomp.net



[Non-text portions of this message have been removed]

Hi,


I have configured transparent proxy with squid + dansguardian .

squid-3.1.0.14-1.fc12.i686
dansguardian-2.10.1.1-3.fc12.i686

I a ADSL router and only one NIC in the squid server and firewall also reside in
the same system.
but seems transparent proxy with dansguardian is not working.

i am geeting the error 'Proxy server is refusing connection'

Please find the settings of squid.conf, dansguardian.conf and iptables rules .

==================== squid.conf ================

acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

cache_effective_user squid
cache_effective_group squid

visible_hostname = testsquid

http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 127.0.0.1:3128 transparent
hierarchy_stoplist cgi-bin ?
coredump_dir /var/spool/squid
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

=============================================================

===================== dansguardian.conf ======================
daemonuser = 'nobody'
daemongroup = 'nogroup'
softrestart = off

mailer = '/usr/sbin/sendmail -t'
filterport = 8080
proxyip = 127.0.0.1
proxyport = 3128

filtergroups = 1
#filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'

bannedurllist = '/etc/dansguardian/lists/blacklists/adult/urls'
bannedsitelis = '/etc/dansguardian/lists/bannedsitelist'

# Authentication files location
bannediplist = '/etc/dansguardian/lists/bannediplist'
exceptioniplist = '/etc/dansguardian/lists/exceptioniplist'



==============================================

============= iptables =================

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
*nat
:PREROUTING ACCEPT [2340:786600]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A OUTPUT -p tcp -m tcp --dport 3128 -j REDIRECT --to-ports 8080
COMMIT
# Completed on Sun Nov 22 23:19:13 2009
# Generated by iptables-save v1.4.5 on Sun Nov 22 23:19:13 2009
*filter
:INPUT ACCEPT [21835:26349924]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16173:1198341]
COMMIT
# Completed on Sun Nov 22 23:19:13 2009

============================================================





[Non-text portions of this message have been removed]

I found a Website listing the configuration file to DG 2.8.0.4:
http://arnofear.free.fr/linux/template.php?tuto=5&page=3
In that configuration file, there is one parameter looking like this:

# Disable logging process
# on|off ( defaults to off )
nologger = off

In the configuration file of my dg, i can't find such a parameter anywhere.
I want to know if it is possible to disable logging completely for one group in
dg 2.9.9.7 using different config files.

dansguardian uses squid.  Squid can do it if you want to configure it.

You can create a list of ip addresses that each username is able to use.  If
you want the user to be able to use any internal IP then this solution won't
work.

However, I don't think this type of filtering is best.  I recommend
reviewing logs and holding people accountable for there usage.  I wouldn't
give my login to someone to abuse it when I was going to be held
accountable.

I am sure there are other options but any option will be more intensive then
informing people to not share there authentication credentials because they
are being monitored.






On Fri, Nov 20, 2009 at 3:23 AM, bdn3504 <bdn3504@...> wrote:

>
>
>
> > As to your other questions, it might help to better understand what
> you're
> > trying to accomplish. Concurrent logins should be prevented by the
> > authentication server for the workstations though (e.g. in Active
> > directory/group).
>
> So dansguardian cannot detect how man users use the same login?
>
> As I said, I want to prevent the situation that a user gives out his log in
> information to another user and then these two users log in at the same
> time. i use the proxy basic authentication plugin, so there's no AD server
> or such as that. In my configuration, squid is responsible for user
> authorization.
>
> Thanks for the help so far.
>
>
>



--
Sincerely,
Joshaven Potter

"No man making a profession of faith ought to sin, nor one possessed of love
to hate his brother. For He that said, “Thou shalt love the Lord thy God,”
  said also, “and thy neighbor as thyself.”  Those that profess themselves to
be Christ’s are known not only by what they say, but by what they practice.
“For the tree is known by its fruit.”" -- Ignatius


[Non-text portions of this message have been removed]

Hmm, a quick google reveals m0m0wall can detect and terminate concurrent
login sessions, but I don't have time to look into how this is achieved.



--
Mike Gill



From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of bdn3504
Sent: Friday, November 20, 2009 12:24 AM
To: dansguardian@yahoogroups.com
Subject: [dansguardian] Re: I want a filter group to behave differently at
different times of day.






> As to your other questions, it might help to better understand what you're
> trying to accomplish. Concurrent logins should be prevented by the
> authentication server for the workstations though (e.g. in Active
> directory/group).

So dansguardian cannot detect how man users use the same login?

As I said, I want to prevent the situation that a user gives out his log in
information to another user and then these two users log in at the same
time. i use the proxy basic authentication plugin, so there's no AD server
or such as that. In my configuration, squid is responsible for user
authorization.

Thanks for the help so far.





[Non-text portions of this message have been removed]

I'm using Dansguardian 2.9.9.7 in combination with squid3.0.STABLE1.
i have some ACLs setup in squid like this:

acl auth proxy_auth REQUIRED
acl Restrict_User_Tally max_user_ip -s 1
acl Usergroup proxy_auth usr01 usr02 usr03
acl DANS src 127.0.0.1

http_access deny !auth
http_access deny Restrict_User_Tally Usergroup
http_access allow DANS

I configured DG to connect to squid over port 3128 and the requests are
intercepted on port 8080 by DG.

I configured DG to assign the users to different user groups, making it use the
proxy-basic auth plugin.

When i surfed the web using my dg/squid combo reachable over port 8080 from two
different PCs with two different IP addresses but both logging in to the same
account (usr01), squid did not give out any warnings, that the usr01 is using
more than one ip.

Then i reconfigured squid to ignore DG and simply made it listen to port 3128.
After having set up the two pcs to use that same port as the proxy port in the
browser, i tried logging in on both machines at the same time and i couldn't.
here's the cache.log file entry for that:

2009/11/20 15:22:48| aclMatchUserMaxIP: user 'usr01' tries to use too many IP
addresses (max 1 allowed)!

Why does this not work with dansguardian? Does it have something to do with

2009/11/20 15:26:15| clientNatLookup: NF getsockopt(SO_ORIGINAL_DST) failed:
(92) Protocol not available

? I read that this was only solved in squid3.0.STABLE8. If so, is the only way
to make that kind of authentication/verification work to install the latest
build (or ver >=8)? Or can i set some other configurations to make it work with
STABLE1?

i now found out what was meant by "any file of filter restrictions" and "each
configuration file" in the FAQ. This is expressed really badly in that FAQ.
What the author meant to say is:
"You can change the times of day in which the LISTS are accessed."
This means of course, you'll have to copy the list for different groups. I think
the adequate way of controlling access dependent on time, would be to give that
option in the configuration files for the respective groups. Especially for my
purpose the configuration of each list file is an enormous burden, because i
only want to completely restrict access to the web and at times allow filtered
access.
If i had the ability to simply specify the time for the different group modes
this would be so much easier.
E.g.:

# Filter group mode
# This option determines whether members of this group have their web access
# unfiltered, filtered, or banned. This mechanism replaces the "banneduserlist"
# and "exceptionuserlist" files from previous versions.
#
# 0 = banned
# 1 = filtered
# 2 = unfiltered (exception)
#
groupmode = 0 #time:  9  0  17  0 01234
groupmode = 1 #time: 17  1   8 59 01234
groupmode = 2 #time:  0  1  23 59 56

# Time limiting syntax:
# #time: <start hour> <start minute> <end hour> <end minute> <days>
# Example:
##time: 9 0 17 0 01234
# Remove the first # from the line above to enable this list only from
# 9am to 5pm, Monday to Friday.

Hello,
I am using dansguardian and squid in a transparent proxy mode but I
noticed that any file download will cut after a few moments.So I'm
unable to complete a file download.
Debugging shows this:

HTTP/1.1 200 OK
Content-Length: 465237654
Content-Type: application/x-cd-image
.
.
.
Proxy-Connection: close

I am using DG 2.9.9.3 and squid 2.6.stable14.
What can I do to solve this ?
Should I use a different DG or squid version ? Should I use persistent
connections ?

Appreciate any help on this matter. I have 500 users running behind this
proxy.

Thanks.

Marc



[Non-text portions of this message have been removed]

> As to your other questions, it might help to better understand what you're
> trying to accomplish. Concurrent logins should be prevented by the
> authentication server for the workstations though (e.g. in Active
> directory/group).

So dansguardian cannot detect how man users use the same login?

As I said, I want to prevent the situation that a user gives out his log in
information to another user and then these two users log in at the same time. i
use the proxy basic authentication plugin, so there's no AD server or such as
that. In my configuration, squid is responsible for user authorization.

Thanks for the help so far.

Hmm, I didn't find anything in the conf file either. Though it should be
easy to do with a cron job.



As to your other questions, it might help to better understand what you're
trying to accomplish. Concurrent logins should be prevented by the
authentication server for the workstations though (e.g. in Active
directory/group).



--
Mike Gill



From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of bdn3504
Sent: Thursday, November 19, 2009 5:17 AM
To: dansguardian@yahoogroups.com
Subject: [dansguardian] I want a filter group to behave differently at
different times of day.





As stated in the DG FAQ on the DG documentation wiki (General Q #21) this is
possible. But HOW do i achieve that? i can't find any time specifications in
my dansguardian.conf file. using dg 2.9.9.7

Also, is it possible to restrict access to two hours since login? E.g. user
A logs in at time t1. dg starts counting until t1 = t1+120 minutes and then
closes the connection for that user for the rest of the day.

Another thing:
I am using the proxy basic auth authentication method for user
identification. Can i restrict login to one instance per user? say user a is
specified in the grouplist to belong to group f1 and logs in on a machine
with his name and pw. a second user somehow obtained the user/pwd data of
user a and logs in on another machine at the same time. Can i prevent that?





[Non-text portions of this message have been removed]

I don't know anything about the SME Server interface that your using but I
recommend reading through the config files:
(dansguardian.conf & dansguardianf1.conf) which should be located in
/etc/dansguardian

These files will reference lists.  These lists should be located
in /etc/dansguardian/lists/

If you understand what your reading I would guess that the problem will
become apparent.

Be careful to make backup copies before changing things and only make
changes related to getting things working, you can refine things once you
can change & check the settings.  If you go and make a whole bunch of
changes you'll be likely to end up with a mess.




On Thu, Nov 19, 2009 at 1:46 PM, amditta <amditta@...> wrote:

>
>
> I am running Dansguardian on SME Server 7.4 and having a problem getting it
> to allow all sites except for the specific ones I ban.
>
> I have the group set to filtered access with blanket bans and selective
> bans disabled but it is blocking almost everything except the sites I
> specifically tell it not to. I have tried everything I can think of to get
> it to allow sites but it only allows some. What am I doing wrong?
>
> Filter mode filtered
> Bypass link Disabled
> Reporting level just say Access Denied
> Bypass AV Disabled
> Weighted phrase limit 9999 worldly
> Pics rating Unused
> Denied Page Defaultcgihtml
> Denied Page Default = dansguardian.pl, html = nul, cgi = nul
> Denied URL (cgi)
>
> Blanket Bans
> Sites can be blocked as noted below, use exceptions for selected sites.
> ie. add domains in site allow (whitelist mode)
>
> Block ALL file or mimetypes, except those in the file or mimetype exception
> lists.
> Alternativly, you can use the extensions or mimetypes Deny Lists
> to block specific kinds of file downloads.
> Allow site & Allow url, is an override for these blocks, but still filters.
>
>
> Block http sites Disabled
> Block https sites Disabled
> Block IP address Disabled
> Block all file and mimetypes Disabled
> Selective Bans
> To block sites by regexp URL.
>
> Block Porn Disabled
> Safe search Disabled
> Block advertising Disabled
> Block proxies Disabled
>
>
>



--
Sincerely,
Joshaven Potter

"No man making a profession of faith ought to sin, nor one possessed of love
to hate his brother. For He that said, “Thou shalt love the Lord thy God,”
  said also, “and thy neighbor as thyself.”  Those that profess themselves to
be Christ’s are known not only by what they say, but by what they practice.
“For the tree is known by its fruit.”" -- Ignatius


[Non-text portions of this message have been removed]

I am running Dansguardian on SME Server 7.4 and having a problem getting it to
allow all sites except for the specific ones I ban.

I have the group set to filtered access with blanket bans and selective bans
disabled but it is blocking almost everything except the sites I specifically
tell it not to.  I have tried everything I can think of to get it to allow sites
but it only allows some. What am I doing wrong?


Filter mode   filtered
Bypass link   Disabled
Reporting level   just say Access Denied
Bypass AV   Disabled
Weighted phrase limit   9999 worldly
Pics rating   Unused
Denied Page   Defaultcgihtml
Denied Page  Default = dansguardian.pl, html = nul, cgi = nul
Denied URL (cgi)

Blanket Bans
Sites can be blocked as noted below, use exceptions for selected sites.
ie. add domains in site allow (whitelist mode)

Block ALL file or mimetypes, except those in the file or mimetype exception
lists.
Alternativly, you can use the extensions or mimetypes Deny Lists
to block specific kinds of file downloads.
Allow site & Allow url, is an override for these blocks, but still filters.


Block http sites   Disabled
Block https sites   Disabled
Block IP address   Disabled
Block all file and mimetypes   Disabled
Selective Bans
To block sites by regexp URL.

Block Porn   Disabled
Safe search   Disabled
Block advertising   Disabled
Block proxies   Disabled

If your referring to not being able to access the internet through the proxy
with a device like a Direct-TV then this may be of assistance to you:

http://www.dd-wrt.com/wiki/index.php/Squid_Transparent_Proxy

The link is a link that provides information on forcing all traffic through
a proxy from your router... I expect that the interesting piece will be the
iptables rules under "Option 2" which shows you how to forward traffic from
a particular device around the proxy.

This is something of an indirect answer hopefully it helps.






On Thu, Nov 19, 2009 at 10:59 AM, Luis Daniel Lucio Quiroz <
luis.daniel.lucio@...> wrote:

>
>
> Hi all
>
> Using latest Dg, is there any icap capability that is not yet supported?
>
> TIA
>
> LD
>
>



--
Sincerely,
Joshaven Potter

"No man making a profession of faith ought to sin, nor one possessed of love
to hate his brother. For He that said, “Thou shalt love the Lord thy God,”
  said also, “and thy neighbor as thyself.”  Those that profess themselves to
be Christ’s are known not only by what they say, but by what they practice.
“For the tree is known by its fruit.”" -- Ignatius


[Non-text portions of this message have been removed]

Hi all

Using latest Dg, is there any icap capability that is not yet supported?

TIA

LD

As stated in the DG FAQ on the DG documentation wiki (General Q #21) this is
possible. But HOW do i achieve that? i can't find any time specifications in my
dansguardian.conf file. using dg 2.9.9.7

Also, is it possible to restrict access to two hours since login? E.g. user A
logs in at time t1. dg starts counting until t1 = t1+120 minutes and then closes
the connection for that user for the rest of the day.

Another thing:
I am using the proxy basic auth authentication method for user identification.
Can i restrict login to one instance per user? say user a is specified in the
grouplist to belong to group f1 and logs in on a machine with his name and pw. a
second user somehow obtained the user/pwd data of user a and logs in on another
machine at the same time. Can i prevent that?

Cannot seem to figure this out -- basically I need two separate filter groups to
use different '/etc/dansguardian/lists/exceptionmimetypelist' filter files (I
have the second named '/etc/dansguardian/lists/exceptionmimetypelist2').

A quick overview of my config:

Version: 2.9.9.7-2~hardy2
Ubuntu: 2.6.24-23-server

I have 4 filter groups and have the dansguardianf1-4.conf files defined.  I have
the ipgroups file configured to assign filter gruops by Ip Address and there is
no other authentication besides that.  So for example 192.168.10.5=filter2,
192.168.10.6=filter3, etc...

Within each dansguardianfN file I already have separate exceptionsitelist files
defined that work just fine.  So filter2 has exceptionsitelist_group2 defined in
the dansguardianf2.conf file, and so on.

The problem is that when I try and do the same thing for the
exceptionmimetypelist , each group will only use the one defined in
dansguardianf1.conf.  It for some reason will not read the exceptionmimetypelist
from the corresponding dansguardianfN.conf file?

Yes blockdownloads = on is defined in each of the dansguardianfN.conf files and
groupmode = 1 is also set.

Any suggestions?

On Sat, Nov 14, 2009 at 12:14 PM, Nerijus Baliunas <
nerijus@...> wrote:

> Hello,
>
> I'd like to try even in production environment :)
>

I wouldn't yet, but of course you can! LOL

I will send it to you ASAP, thru email.


[Non-text portions of this message have been removed]

Hello,

I'd like to try even in production environment :)

Nerijus

On Sun, 04 Oct 2009 00:22:13 -0000 Neto <aecioneto@...> wrote:

> I just converted current trickle single-byte download manager to a multi-byte
version.
> Basic difference is:
> a) it properly identify download rate and estimated time to finish;
> b) it sends all file bytes but last x bytes defined by admin in its conf file;
>
> Some will say it is unsecure to send bytes to clients as it is downloaded, but
admin/user now can decide between user-friendness of accurate transfer rate and
ETA due to security.
>
> Notice that, if content is blocked, downloaded file will be corrupted and not
usable. Some AVs can still report file infected due to patter analysis of
tranferred content.
>
> I cannot consider this patch stable, since I am the only who tested it.
>
> So, I am looking for testers to try it outside PROD ENV.
>
> Post here your email or email me: aecioneto AT gmail DOT com
>
> Regards to all.

Genius.  I had been toying with that idea but hadn't tried it.  That fixed it
for me.  Just created a new file named bannedsitelist only containing **

This has been frustrating me for a couple of days now.

--- In dansguardian@yahoogroups.com, "mila1021" <jose@...> wrote:
>
> --- In dansguardian@yahoogroups.com, "Chuck Kollars" <ckollars9@>
> wrote:
> >
> > > I recently tried to add a group to have blanket block, but no
> > > matter what I do, it never seems to work. I added some sites
> > > into the bannedsitelist and the group is working and blocking
> > > the sites I added manually, but the **, **s, *ip, *ips doesn't
> > > seem to work no matter what I do.
> > > Any advice?
> >
> > How about a little more information? There are a gazillion different
> > ways to get this result --many involving nothing more than a misplaced
> > keystroke. Without knowing a little more about exactly what you tried,
> > guessing which reason is behind your problem is pretty hard.
> >
> > So:
> > 1) What exact version of DansGuardian are you running?
> > 2) Have you upgraded in the past few months?
> > 3) Are you talking about blanket download block, or blanket webpage
> block?
> > 4) Can you please post the *whole* 'bannedsitelist' (including your
> > attempt at blanket block) where you enabled the block?
> > 5) Can you please post the associated filter group config file
> > (dansguardianfN.conf)?
> > 6) Can you please post the entries *from*the*log* that appeared when
> > you tested your change? (See
> >
>
http://contentfilter.futuragts.com/wiki/doku.php?id=general_troubleshooting_stra\
tegies#tipuse_the_log_fully
> > for more information about the log).
> >
> > thanks! -Chuck Kollars (retired computer geek and longtime DG user)
> >
> Thanks for the response, I manage to fix it, I don't really know what
> was wrong, I just uncomment the line in the bannedsitelist, but it
> never worked. I created a banned_site with just the ** and set that as
> the path in the dansguardianfX.conf on the bannedsitelist variable and
> it worked.
>

My guess is it's seeing the word "tit". E.g. supers"tit"ion. Add "tit" to
your greyurllist file. This will stop that word from triggering a ban when
it's in the URL, but still filter the contents of the page that comes up.



--
Mike Gill



From: dansguardian@yahoogroups.com [mailto:dansguardian@yahoogroups.com] On
Behalf Of Bryan
Sent: Thursday, November 12, 2009 11:13 AM
To: dansguardian@yahoogroups.com
Subject: [dansguardian] banned regular expressions question





Hi,
I have a teacher who wants the kids to research superstitions and whenever
they Google "superstitions" it is a banned regular expression. I am trying
to find out the best practice for lettting this type of activity through the
dans filter?
Thanks,
Bryan





[Non-text portions of this message have been removed]

I am running ubuntu 8.04, Squid 2.6 Stable18 and Dansguardian 2.10.1.1.  I have
11 groups.  In each of the filtergroup files I have set the naughtynesslimit for
each of the group types.  Things are being blocked, and I looked in the logs. 
The naughtynesslimit is set at 50 in the logs, but the Filtergroup file will be
set at 200.  Has anyone seen this?

thanks,
Mark

Hi,
I have a teacher who wants the kids to research superstitions and whenever they
Google "superstitions" it is a banned regular expression.  I am trying to find
out the best practice for lettting this type of activity through the dans
filter?
Thanks,
Bryan

Hi Andrew,
  > <script> <ipaddr> <filtergroup>
Yes, this is what I am looking for.
I just want a script that would be able to switch just 2 ip addresses
to different filter group. But I want to be able for a user to access
a shortcut on there desktop. I am running slackware as my OS if that is any
help. I wanted to see if someone had an example that they could show me. Thanks
bert

--- In dansguardian@yahoogroups.com, Andrew Vandever <andrew.vandever@...>
wrote:
>
> Are you wanting something where you could do this:
> <script> <ipaddr> <filtergroup>
> and have it change? It seems like that should be SUPER easy with either
> perl or sed.
> Something like:
> sed -i.bak '/192\.168\.0\.7/s/filtergroup./filtergroup1/'
> /etc/dansguardian/lists/filtergroupslist
> Is that what you are looking for?
>
> -Andrew
>
> bertb93 wrote:
> >
> >
> > Anyone have a perl script I could see to change ip address to
> > different filter group. Or at least point me in the right direction as
> > where to find some examples?
> > thanks,
> > bert
> >
> >
>
> --
> Andrew Vandever
> andrew.vandever@...
> http://www.avcomp.net
>
>
>
> [Non-text portions of this message have been removed]
>

I'm glad it helped! For reference, the <<HERE part is an example of
"heretext", and it's pretty well documented in the Bash Guide for
Beginners by Machtelt Garrels (sp?) that's freely available from
tldp.org. I highly recommend it!

-Andrew

Bryan wrote:
>
>
> Wow, Thanks!
> The double quotes do not work but your code does.
>
> I am going to have to research that code as I would like to understand
> it for my
> own learning.
> Bryan
>
> --- In dansguardian@yahoogroups.com
> <mailto:dansguardian%40yahoogroups.com>, Andrew Vandever
> <andrew.vandever@...> wrote:
> >
> > Your problem is on the sed line in your while loop..."$line" is inside
> > of single quotes, which means sed is searching for the literal string
> > "$line" rather than the variable you intend to be placed there. You
> > could try using double-quotes instead, or replace that command with:
> > cat >> tmpfile <<HERE
> > /$line/d
> > HERE
> > sed -f tmpfile $input2 > diditwork.txt
> >
> > I know that's really ugly, but it should work.
> > -Andrew
> >
> > Bryan wrote:
> > >
> > >
> > > Hello,
> > > I have a script that works pretty good pulling all my Novell
> > > eDirectory groups into a Dansguardian file that I apply. I am having
> > > difficultly with some duplicate entries I cannot seem to remove. Can
> > > someone tell me why this bash script is not deleting those entries? It
> > > is something with my while loop that is not working I think.
> > >
> > > sed 's/ //g' $input >$output
> > > sed 's/filter3/filter2/g' $output >$output2
> > >
> > > cat $output2 |while read line
> > > do
> > > sed '/$line/d' $input2 >diditwork.txt
> > > done
> > >
> > >
> >
> > --
> > Andrew Vandever
> > andrew.vandever@...
> > http://www.avcomp.net <http://www.avcomp.net>
> >
> >
> >
> > [Non-text portions of this message have been removed]
> >
>
>

--
Andrew Vandever
andrew.vandever@...
http://www.avcomp.net



[Non-text portions of this message have been removed]