Topic: Dansguardian installed, running but no content is filtered.

[Ptah]

Hi All.

I have now spent two days going through forums, how to's, faq's etc. etc. and still struggling with Dansguardian on my SME server.

I run SME Server  7.2 in Gateway mode with DansGuardian 2.9.8.0 installed and running. I followed all the instructions as per here:

http://smemirror.fullnet.co.uk/contribs/rmitchell/smeserver/howto/dansguardian%20instal%20&%20configure%20HOWTO%20for%20sme%20server.htm

and in the wiki.contrib.org/Dansguardian (these are actually the same set of instructions) .

I got it up and running but when I try visiting the URL's I blocked then nothing happens. Maybe I should add that I tried the following proxy settings:

Code: [Select]

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot

but when the server came up again I had absolutely no Internet access so I issued the following

Code: [Select]

config delprop squid TransparentPort 3128
config delprop dansguardian portblocking
signal-event post-upgrade; signal-event reboot

And everything was fine again.

I am pretty sure I might have left some crucial step out as I am fairly new at Linux and SME server. I managed to setup the entire emailing system and that all works beautifully, but now the content filtering is giving me a headache.

I know you boffins probably helped countless people with this already and I missed this somewhere. Please help.

Thanks in advance.

I am sure I didn't loose my mind... I know exactly where I left it

[raem]

Ptah

The Wiki is more up to date, so use that in preference (as stated quite clearly at the top of the old Howto)

ie IMPORTANT - PLEASE SEE MORE RECENT VERSION AT
http://wiki.contribs.org/Dansguardian

I tried the following proxy settings:

Code: [Select]

config setprop squid TransparentPort 8080
config setprop dansguardian portblocking yes
signal-event post-upgrade; signal-event reboot


You can't just try those settings and then undo the config when it appears not to work.
Those settings ARE required for Dansguardian to work appropriately on sme server.

I had absolutely no Internet access so I issued the following

That's probably because you did not set your browser proxy setting correctly, or you did not restart dansguardian after making config changes, or perhaps you made some config changes in dansguardian which actually blocked your access, so therefore dansguardian was just doing it's job.

I suggest you read the wiki instructions very carefully again, and don't undo settings because you think it's a good idea.
If it doesn't work, then you have missed doing something.

Follow all the steps and it should work. I suggest you make no additional dansguardian confg changes initially (other than the basic ones referred to) so that you don't complicate troubleshooting. Get the basics working and then make more extensive blocking rules later.

[brianr]

just been trying this, and i can't make it work such that the proxy is picked up automatically.  I am reasonably sure that the reason is that I am running the SME in Server mode, not server-gateway, consequently the "auto detect proxy settings" in IE does not even see the server, as the gateway IP is set to the router on the LAN.

I can only make it work by either specifying the proxy server specifically, OR by specifying "http://<serverip>/proxy.pac" in the  "automatic configuration script field of the IE internet connection parameters.

If my analysis is correct, then perhaps an addition could be made to the wiki.  I am still pursuing whether I can lock down the proxy connection settings in IE. 
 

[raem]

brianr

I am still pursuing whether I can lock down the proxy connection settings in IE.

Answered here
http://wiki.contribs.org/Dansguardian#Using_Group_Policy_Editor_to_force_proxy_port_setting_on_workstations

[brianr]

brianr

Answered here
http://wiki.contribs.org/Dansguardian#Using_Group_Policy_Editor_to_force_proxy_port_setting_on_workstations

My experience so far is that this does not seem to work if the user has administrative rights.

[raem]

brianr

My experience so far is that this does not seem to work if the user has administrative rights.

What does "not seem to work" mean.
If you set appropriate group policy rights using gpedit.msc, then for example certain menus in Internet Explorer are missing, including for the Administrator.
Now of course someone with Administrator rights could go into gpedit.msc and remove the restriction on seeing the IE menu where you can change the proxy server details, so of course in that case the user can work around the proxy server settings restrictions, by for example changing the proxy port to 3128 and bypassing dansguardian.

It's obvious not to give users Administrator access if you don't want them to have the ability to change settings.


If you have done
config setprop squid TransparentPort 8080
and
config setprop dansguardian portblocking yes

then Auto detect proxy settings will find & use port 8080, and the portblocking setting will stop access via port 3128 or 80, so have you set those ?


If you are using group filtering with pam auth and you have done

config setprop squid Transparent no

then the poxy port will only be available on port 8080, and all browsers will need to be set to port 8080 in order to access the Internet. Even if users change that port, it only means they will have no Internet access at all.

In either case, I'm not sure I see what your problem is ie does "not seem to work".

[brianr]

brianr

What does "not seem to work" mean.

I means that I use gpedit to "fix" the internet proxy parameters as per your instructions, but when i go back to the internet controls, they are still changeable (i expected them to be greyed out).  I've been through this a couple of times in the past, and tried it again yesterday.

I also have the correct config settings as per your howto.

[root@millbrookserver ~]# config show dansguardian
dansguardian=service
    portblocking=yes
    status=enabled
[root@millbrookserver ~]# config show squid
squid=service
    EnforceSafePorts=no
    SafePorts=21,70,80,81,119,210,443,563,980,1024-65535
    TCPPort=3128
    TCPProxyPort=80:3128
    TransparentPort=8080
    access=private
    status=enabled
[root@millbrookserver ~]#


I can get to the PC in question to try things if you have any ideas.

[raem]

brianr

I means that I use gpedit to "fix" the internet proxy parameters as per your instructions

I think you mean as per tropicalview's instructions in the forum ?


I don't use that, I remove access to the menu entirely ie
gpedit
Local Computer Policy
User Configuration
Administrative Templates
Windows Components
Internet Explorer
Disable changing connection settings.

[brianr]

brianr
I think you mean as per tropicalview's instructions in the forum ?

Sorry, i guess I do.

I don't use that, I remove access to the menu entirely ie
gpedit
User Configuration
Administrative Templates
Internet Explorer
Disable changing connection settings.

aha - yes, that works fine.  Should we change the howto? (although there is a missing stage - "Windows components" between AT and IE.

A secondary question - I also indicated above that in "server" mode the "Detect proxy settings" does not enable the proxy.  does this fit in with your experience?

If so, i think the howto should also say that.

[raem]

brianr

I added my method to the Howto.

A secondary question - I also indicated above that in "server" mode the "Detect proxy settings" does not enable the proxy.  does this fit in with your experience?

I don't use Dansguardian in server only mode.
It would seem obvious to me though, that as the sme server is not acting as the proxy gateway, then there will be issues with making & using those settings.

A note to the effect that this Howto applies to server gateway configurations would be appropriate, but I have not tested the possible ramifications in that mode. I'll look for the most appropriate spot to add this to the Howto.
Edit -
Added here
http://wiki.contribs.org/Dansguardian#Configuring_your_system_to_force_Dansguardian_usage_.26_prevent_bypassing