Porn Filtering using Squid and SquidGuard under Linux HOW TO
and HOW NOT TO

Jerry Winegarden

Last Revised 7/9/02

How To

Two ways to provide pornography and other content filtering using squid and squidGuard:

Squid caching software along with SquidGuard re-directing software, if properly configured allows us to provide some content filtering or screening.

See:

Squid is a standard Red Hat package and should be installed on your LAN's Linux server. Once installed, it's configuration files are in /etc/squid. The main configuration file is: /etc/squid/squid.conf

SquidGuard, available from the above URL, is a companion package to squid. Installation and configuration instructions are also available from this site. Below, we will provide a cookbook for installation on a RedHat Linux v7.1 system. This cookbook is currently under construction. You don't have to wait until it's complete, however. You can try to follow squidGuard.org's instructions, if you wish.

Note concerning support:

squid questions can be directed to redhat-list@redhat.com. squidguard has it's own support list that you can subscribe to, which is recommended. See www.squidguard.org pages for subscription instructions.

How NOT To

1) Do NOT be an open mail relay or other open relay by providing a squid cache/squidGuard open to the whole world!

How to you do that? In /etc/hosts.allow, (assuming hosts.deny is ALL: ALL) do NOT have a line:

squid: ALL

If you are NOT behind your own firewall, providing squid/squidGuard to machines on your LAN (e.g. machines with IP 192.168.1.x), then you must be careful with your /etc/hosts.allow settings, so that you can keep from being a incredibily wide open spam relay!

If you are TRYING to provide squidGuard web filtering to some machines at some community center or school (machines not on your LAN), then you MUST make sure that the whole world cannot get to your squid daemon for service, just the ones that you want. squid (and hence squidGuard) will pay attention to restrictions specified in /etc/hosts.deny and .allow

If you must provide squidGuard proxy service outside your LAN, the way is to give explicit access to a list of fully qualified domain names that can access to your squid server. This assumes that the machines seeking to access the Internet through your web proxy server (if you've set the web browser on that machine to use your machine as a web proxy server) have a DNS registration somewhere. However, if you do NOT have a static IP number, you likely do NOT have a DNS registration that doesn't change each time you turn on your machine.

Solution:

  1. install a Linux ipchains or iptables firewall/router to connect your LAN to the Internet (provide dhcp service to the machines on your LAN)
    see: Firewall installation cookbook/ configuration scripts @ www-jerry.oit.duke.edu
  2. register a domainname with dyndns.org (e.g. youhoser.dyndns.org)
  3. add a line in /etc/hosts.allow for squid: squid: LOCAL
  4. install ddclient on your linux firewall box to update your DNS registration with dyndns any time your IP number changes.
  5. add yourhoser.dyndns.org to the line you added in /etc/hosts.allow for squid