# Web Content Filter? Ideas / Thoughts



## kjemison (May 19, 2011)

Hello,

I am again on a quest to learn FreeBSD by using  it to perform functions requested of me by my clients. Today a client asked if I could come up with a solution to keep employees from surfing all over the web to non work related sites. I thought that there must be a port for FreeBSD for this. I have seen a port called Dansguardian but I have read mixed reviews for it. I would like to block all sites and just allow only the sites that are work related.

I would appreciate any input ... good and bad of software that others have used or are currently using to do such a task. I am not by any means a professional in FreeBSD and  I would consider myself close to being just stepping out of the beginner stage and into the intermediate area.

Thank you in advance for your input, it is greatly appreciated!

Kell


----------



## nilsgecko (May 19, 2011)

A few places I know make use of OpenDNS's web-content filtering, but that might not be an option.  It requires you create an account with OpenDNS and have the company's DNS routed through it's services which you then (or they) access via a web portal.

DansGuardian I've never used although I've read it's not free for Commercial use.


----------



## SirDice (May 19, 2011)

OpenDNS doesn't do web content filtering. It only resolves bad host or domainnames to nothing preventing you from accessing those hosts. It does NOT filter content.

Have a look at www/squid, maybe in combination with security/squidclamav.


----------



## hainan (May 19, 2011)

Squid + Squidguard is an option. I saw in pfSense. A pfSense how to is here. (Turkish)

SquidGuard official web page : http://www.squidguard.org/


----------



## nilsgecko (May 19, 2011)

SirDice said:
			
		

> OpenDNS doesn't do web content filtering. It only resolves bad host or domainnames to nothing preventing you from accessing those hosts. It does NOT filter content.



Hi.  It is probably a terminology difference, but what I meant you can implement a list of whitelist-only websites that it then will resolve at the DNS level.  Other websites not on the list will not resolve but will instead give a message about the site being blocked.  The inverse is also true: you can filter based on categories, or just have a specific 'blacklist' of domains that are not allowed.
You have to have a registered account with OpenDNS to use this feature however.


----------



## Ruler2112 (May 19, 2011)

Along the lines of using OpenDNS, why not set up a DNS server and have it resolve everything to 127.0.0.1 except for what you want?  Don't know exactly how you'd get it set up, but I don't imagine it'd be impossible and would accomplish exactly what you want.  (Assuming they don't know enough to change their DNS server to something else.)

You can also use pf to disallow communication of everything except specific IPs.  This would be much more secure and, if implemented as a gateway for the company, would be extremely difficult to get around.


----------



## kpa (May 19, 2011)

You can bypass any DNS based filtering by writing your own hosts file.


----------



## Ruler2112 (May 20, 2011)

kpa said:
			
		

> You can bypass any DNS based filtering by writing your own hosts file.



Or by simply changing the DNS server to that of a public DNS server.  (Assuming port 53 out isn't blocked by a firewall somewhere.)

Or it can be bypassed by entering the IP address of the destination web site in the address bar.

Better yet, you can calculate the decimal representation of each octet of the IP address in binary concatenated together and use that.  This method is very effective at bypassing many web content filters, though the work involved is so intensive that I'd just jump on somebody's wifi first, but it does work.  

Your solution as well as the last 2 listed here require one to know the IP of the machine they want to connect to, which without a working DNS server, would need to be looked up/saved/entered manually.  (Basically, you'd manually build a database of the machines in DNS - not really all that feasible.)  All these are beyond the ability of most people and I'd wager that >95% of the general public doesn't even know what DNS is.  

If I interpret the OP correctly, he's looking for something that will keep the average employee from surfing crap all day long instead of working.  I'm not saying using a DNS server that returns bogus addresses is the ideal way to go, but it would be relatively quick and effective for most people.

A gateway using pf would be much better IMO - simply deny everything except for traffic for IPs in a table.  Quicker, more effective, and much more difficult to bypass.


----------

