Need traffic filter solution

From: "Daniel L. Appleget" 
------------------------------------------------------
I am looking for a solution; client wants a web traffic content filter, 
the idea is to block pr0n. I was hoping to do something appliance based. 
It is for open to the public WIFI.

OpenDNS seems like it is the best/easiest solution.

-- 
Daniel Appleget
Chattanooga Computer Service
http://www.chattanoogacomputerservice.com/
423-760-0879

Tu ne cede malis, sed contra audentior ito


=============================================================== From: Phil Sieg ------------------------------------------------------ Untangle? http://www.untangle.com/ Bring your own hardware. Phil Sieg President SeniorTech LLC / Snapfon www.snapfon.com B: 423.535.9968 F: 423.265.9820 M: 423.331.0725 phil.sieg@seniortechllc.com On Nov 7, 2012, at 1:11 AM, "Daniel L. Appleget" = wrote: filter, the idea is to block pr0n. I was hoping to do something = appliance based. It is for open to the public WIFI.

=============================================================== From: Michael Scholten ------------------------------------------------------ I haven't looked too deeply into this area yet but have found openDNS to be pretty effective, at least for their home solution. There are still ways to get around it, such as googling for certain kinds of images. You can still pull up "pr0n" but when you try to go to the site serving up the imagery then openDNS takes over and keeps you out. Not a perfect solution but better then nothing. -Michael

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Michael Scholten : Question: If you hard-code another DNS server in your laptop/tablet/other mobile device, such as Google's Public DNS, does OpenDNS still block Pr0n?

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenDNS is your path of least resistance, but also the least effective. Squid + DansGuardian is the usual DIY recommendation. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCaYnEACgkQABP1RO+tr2S1XgCeNafLBt0kwbCA58G1vXCTiUMA iNAAnRqCk0qBptX6kSmX9RDcl4PxfhcO =5o+0 -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, yes it does, but only when asked. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCaYs0ACgkQABP1RO+tr2SKFACfQlRalWNrfukgspIOpBrIMep4 GdkAoKsG1PCJKSJa0mRYDtok12waHBFk =ApJ9 -----END PGP SIGNATURE-----

=============================================================== From: Jason Brown ------------------------------------------------------ Squid + DansGaurdian works well on a PFSense box, can be their router. I believe it is also possible to run them on something like OpenWRT but it may be significantly more difficult. --Jason

=============================================================== From: Benjamin Stewart ------------------------------------------------------ I don't think that's right. OpenDNS can only redirect queries that are directed towards it, so no, if you've hard-coded another DNS provider on your machine, that machine would not be filtered. You can, however, write a firewall rule that funnels all DNS requests back to OpenDNS or wherever you want them to go.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The question was whether or not OpenDNS still blocks pr0n if you hard-code Google's DNS servers. OpenDNS servers still block the pr0n, but the hard-coded Google DNS entry isn't asking. OpenDNS still works, it has been circumvented however. The question wasn't whether or not a particular machine can reach pr0n.... More of a "thump" on John's head for asking such silly questions that are rather easy to test for ones self in a matter of about the time it took to compose the email itself. I usually find it easier to block DNS queries (udp/53 AND tcp/53) outbound except to your preferred servers (if External) or completely if Internal. I have yet to find a DNS ALG that properly parses DNSSEC correctly, adding a redirect layer only adds to the confusion. YMMV. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCaa2IACgkQABP1RO+tr2T01ACcDZtnxBIL8AyLTx3z0cr+D+jG u0QAoKhn5tIv5QyzIKSIWA10cU8JK/rS =IuEE -----END PGP SIGNATURE-----

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Benjamin Stewart : Thanks, Benjamin... that's kinda what I figured, and probably what Dave meant when he said "only when asked" :D

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Dave Brockman : Actually, I admit I could have phrased my question better. That being said, I have no way to test that at this time. I am at work and we are behind a proxy filter. Theoretically, I could bypass that filter, but I like my job and have no desire to get fired for circumventing the corporate firewall!

=============================================================== From: Benjamin Stewart ------------------------------------------------------ Yep, I took that part incorrectly.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you want good answers, I highly encourage good questions. There are way too many smart-asses on this list. Speaking of which, what does your corporate proxy filter and firewall have to do with DNS queries? I admit that it took less time to compose the email than it would have been to go to http://whatismyip.com and then create an account at OpenDNS and configure that IP address, then run a dig or nslookup from commandline to compare the answers given from, say 8.8.8.8 vs OpenDNS servers, but the fact that you had to ask shows you could learn a little bit about how DNS works from a local resolver standpoint. I encourage you to conduct this little experiment from home if an outbound DNS query is job-risking for you.... Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCahZMACgkQABP1RO+tr2RnIwCgvwMSavD99EdGMKKtOPYJ2ou/ v3QAnj/uFD7A9Vz51xOmPVI6idlzTgMK =eA4/ -----END PGP SIGNATURE-----

=============================================================== From: William Wade ------------------------------------------------------ "if an outbound DNS query is job-risking..." Then you better memorize the ip address of every website you want to visit on that network... :D

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Dave Brockman : Dave, we have a pretty strict policy here. I'm not about to go FSCKING around with network settings just to test something out.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John, Just so you understand, at no point in the instructions above are you asked to make any settings changes to anything on your work computer or network*. I still encourage you to play with dig (on *nix) or nslookup on win, at home or where ever you feel safe. [*]In the interest of full disclosure, I'm pretty sure I agreed at some level that I am responsible for the IP addresses that query OpenDNS when I configured them, I can understand if that gives you pause. That's still worlds away from me suggesting you make a change to your corporate workstation. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCbBdIACgkQABP1RO+tr2Q51ACggJrtEXzDdCLQTWExGppCv03Y c/IAn2OWZ7G6A3lXmNVXTIH9lB5TvVOV =nkeX -----END PGP SIGNATURE-----