From: Chris Davies on
Geoffrey Clements <geoffrey.clementsNO(a)spambaesystems.com> wrote:
> I remember looking into this a few years back and the combination of squid
> and dansguardian looked promising.

Yes, it would work.

> However I was
> never sure how I would stop squid from being redirected to itself.

It gets rather complicated if you have the browser on the same machine
as squid. The ideal situation is that your browser on a PC (somewhere)
is required to use a web proxy on your bastion server. The bastion trusts
itself but blocks all 80/443 traffic from any other device.

> The other problem is that *I* don't want to use the proxy and AFAIK
> there's no way to identify users in iptables.

If you're running the browser on the bastion box itself,
there's --uid-owner and --gid-owner, but I have a feeling they are
deprecated. Otherwise, could you configure your instance of the browser
to use (say) port 63128 but for everyone else's to use 3128? Security
through obscurity, as they say. Alternatively, configure squid to
require authentication (I speak from bitter experience when I say this
is horrible).


> Setting up the browsers to use a proxy always seemed like a non-starter as
> it's easily defeated.

Not if it's the only way off the network. Just don't forget to block
TOR and similar beasties.

Chris
From: Mike Civil on
In article <sO6dnfWOSri-F2XXnZ2dnUVZ8uWdnZ2d(a)brightview.com>,
Simon J. Rowe <srowe(a)mose.org.uk> wrote:
>Anyone got a suggestion how I can limit access?

1. Set them up with separate user a/cs and change their browser config
file(s) so they can't change them. Point their browsers at a squid proxy
setup somewhere and use something simple like squirm to redirect
undesirable URLs to a page of your own making. Eg for iplayer :-
regexi ^http://www\.bbc\.co\.uk/iplayer/.* http://localserver/DontMessWivDad.html

and/or

2. Use a bit of parental discipline backed up with a metal edged ruler.

They'll soon get the message.
From: Ivor Jones on
On 10/11/09 23:36, Mike Civil wrote:
> In article<sO6dnfWOSri-F2XXnZ2dnUVZ8uWdnZ2d(a)brightview.com>,
> Simon J. Rowe<srowe(a)mose.org.uk> wrote:
>> Anyone got a suggestion how I can limit access?
>
> 1. Set them up with separate user a/cs and change their browser config
> file(s) so they can't change them. Point their browsers at a squid proxy
> setup somewhere and use something simple like squirm to redirect
> undesirable URLs to a page of your own making. Eg for iplayer :-
> regexi ^http://www\.bbc\.co\.uk/iplayer/.* http://localserver/DontMessWivDad.html
>
> and/or
>
> 2. Use a bit of parental discipline backed up with a metal edged ruler.
>
> They'll soon get the message.

Then you end up in court on an assault charge.

Ivor

From: charlie on
On Mon, 09 Nov 2009 21:31:54 +0000, "Simon J. Rowe"
<srowe(a)mose.org.uk> wrote:

>My darling children are very good at burning my 20Gb bandwidth limit in a
>week. I've dealt with youtube by redirecting youtube.com in my DNS cache but
>iPlayer is proving more difficult.
>
>Anyone got a suggestion how I can limit access?
> Simon
>

Bend them over and give them a damned good spanking every time
they access it.

From: Chris on
Simon J. Rowe wrote:

> Chris wrote:
>
>> My children are still a bit young, but in preparation I've done a
>> little background reading. From what I've seen, things like squid
>> and/or dansguardian should be able to do what you want.
>> http://www.squid-cache.org/
>> http://dansguardian.org/
>
> I had considered installing squid and catching it that way.
> DansGuardian seems to be some sort of frontend but all the links to
> documentation I try 404.

Looks like the wiki is a better option:
http://wiki.contribs.org/Dansguardian

--
The email address is a spam trap. I rarely use it.