# Freebsd and Content Filters



## unix_united (Jul 15, 2009)

Hi there,

i would like to put on top of my Frreebsd / PF Firewall some free content filtering software.

HTTP
FTP
Messengers
SMTP

any idea which set of tools / ports i can install

regards


----------



## vivek (Jul 15, 2009)

Use squid cache proxy, it can filter out almost all content. You also need to use squid guard to block many harmful sites. PF can block IPs and other stuff.


----------



## phoenix (Jul 15, 2009)

DansGuardian is a much nicer add-on to Squid than SquidGuard.  SG just checks the requested URL against a bunch of black/white lists.  DG does all that, plus it actually scans the text content of the returned pages for words/phrases, and decides whether to block based on that.

There's even a port for it in the FreeBSD ports tree.


----------



## johnblue (Jul 15, 2009)

phoenix said:
			
		

> There's even a port for it in the FreeBSD ports tree.


Thanks for the post!

I was reviewing some of the feedback on the site and came across this:





> Even though Dansguardian is included with the FreeBSD 6.0 Ports collection, we are still required to download either the .gz or source files to install. This isn't the easiest thing to do since we're not using any GUIs and finding the correct source is a challenge in Lynx. Wget nets nothing - the URL discribed in the message is a dead-end.
> We sincerely hope Dansguardian is better accommodated on FreeBSD in the near future. Yes, we've written to the FreeBSD folks as well.


I know it that was at least three years ago, has anything changed?


----------



## johnblue (Jul 15, 2009)

Some more stuff I dug whilst rooting around on SmoothWall:  http://*beep**beep**beep**beep*morr...se-smoothwall-corp-products-free-to-download/

As you can see the URL was mangled .. try this one: http://www.google.com/#hl=en&safe=a...ree-to-download/&aq=f&oq=&aqi=&fp=FoDRLyzXl7w

it is the first search result.


----------



## phoenix (Jul 16, 2009)

johnblue said:
			
		

> Thanks for the post!
> 
> I was reviewing some of the feedback on the site and came across this:I know it that was at least three years ago, has anything changed?



First I've heard of that, and I'm the maintainer of the FreeBSD port.  

Due to licensing issues, I can't just link directly to the source tarball.  The end-user has to go to the page linked in the port, read the license, then click the download link.  That takes you to a page with three directories.  You go into the stable directory, and there's all the different versions.  Just download the one you want.  The port even tells you which one to download.

It's not point-and-click, but it's certainly not difficult.  I test with links2, fetch, and Firefox, so I know it's not arduous.  And once you download the source once, you know what the URL is for any updates.


----------



## Carpetsmoker (Jul 23, 2009)

I will second Phoenix's recommendation on DansGuardian.

One of the things I like about it is that it also has the ability to inspect the content of a page, rather than just use a fixed blacklist.
For example, while I was setting up DansGuardian a few years ago we were having some spam-problems on another BSD forum, porn spam among others. The content filter picked this up and blocked the pages appropriately.

The licensing isn't perfect, but other than that it's a very nice application.


----------



## bb (Jul 23, 2009)

for smtp, I experienced good results with mimedefang. I is designed to run with sendmail, using the milter interface, but I use it with postfix.


----------



## bigrob76 (Jul 23, 2009)

What about blocking a specific MAC address on the LAN from accessing facebook.com?
I am running IPFW and NAT, but am open to switching to IPF, as I have that running at home and the syntax seems easier to understand.
It would be something like...

block out on bge0 from

And that where i'm unsure. Can you input a MAC address there? Or does it have to be an IP? If it has to be an IP, then I can't use DHCP for that client. And after that, then it goes...

to facebook.com 

Or to their IP address? If IP, then i'll have to list probably more than one and then worry about how often they are going to change?

Is this even feasible? Perhaps there is an easier way and i'm just not thinking on the right path.


----------



## phoenix (Jul 23, 2009)

IPFW can filter layer 2 (Ethernet) frames as well.  See the man page for details.

Packet filters work at the IP level, they have no concept of hostnames or domains.  With IPFW, you can write rules using hostnames and domains, but when the rule is actually loaded, the kernel does a DNS lookup, and only the first IP returned is put into the rules.

When writing packet filtering rules, always stick to IPs, use variables with nice names to store them, and look into using groups/lists/tables to stick multiple IPs into a single variable.


----------



## bb (Jul 23, 2009)

Why not use ipfw?

It has a MAC option, so we can deny all from any to facebook.com MAC any 10:20:30:40:...

Of course, you cannot block access to facebook this way. There are archives, anonymizers (proxies) and stuff like that on the web.

Blocking mac addresses is also rather a joke than anything else.


By the way...


> i would like to put on top of my Frreebsd / PF Firewall some free content filtering software.


...is this thread serious?


----------



## SirDice (Jul 24, 2009)

Filtering on MAC address or IP address is pretty much pointless. It's quite trivial to change either one or both.

If you really want to block users from accessing certain sites you will have to force them through a proxy server and filter there.


----------



## bigrob76 (Jul 26, 2009)

bb said:
			
		

> Why not use ipfw?
> 
> It has a MAC option, so we can deny all from any to facebook.com MAC any 10:20:30:40:...
> 
> ...



Excellent. I should have seen that in the manpage but I somehow missed it - it's a little long-winded. I know blocking MAC's is a joke (as well as IP's for that matter), but to my windows users, they will have no clue how to work around it. Keep in mind these are the same people who bring their infested home PC's in for me to reinstall windows for them.


----------

