|« B2Evolution 2.1.0 Beta Upgrade||VMWare ESX 3 Boot Failure after Navisphere Agent Upgrade »|
The original intent I had in setting up my IPCop firewall PC was to implement a content filtering system for my kids. I’m not to worried they would look for “bad” stuff, but that they might stumble upon it by mistake. I have discussed IPCop and DansGuardian in previous blog entries (1, 2). Here I will attempt to describe not how to install DansGuardian, but how to enable a way for you to allow bypassing it as you see fit. This is for the situation where you want to protect the kids (or whoever else), but you don’t want to inhibit full access to the internet by certain others (yourself?).
DansGuardian can be quite agressive in blocking some sites depending on how you have it setup, but hey, you are an adult and you are the parent so why should you ever have to be blocked. The way DansGuardian blocks there are various ways that you can configure it to allow access to sites.
My way is to display the normal DansGuardian blocked page but to edit it to include a password text box
This method will allow you to allow a user with a valid password to bypass the block, but will still create log files that allow the admin to see which password/user accessed which sites.
This is what I did. Again, this is essentially a modification of the smoothwall mod. I’m not very comfortable with Linux yet and creating the installer was quite a challenge for me, but I decided I would make it available to anyone who is interested. I don’t have time to support it, but if you want to post a comment here I’ll try to followup.
Here are the steps to install this mod:
At this point you should have a functional IPCop install with Cop+ (DansGuardian). Make sure it is working as expected before proceeding! Here I need to insert the standard super-duper disclaimer/warning. The following steps are at your own risk (actually ALL the steps are at your own risk)! This is the stuff that I hacked together to install this mod without it being completely manual. The install is automated using a shell script that I modified from the original author. Keep in mind that I am NOT a Linux guy so it could easily go awry. One option if you are nervous may be to peruse the script file and get comfortable with what it is doing or even to do the steps yourself. None of it is super complex. Also note, THERE IS NO UNINSTALL SCRIPT!
tar vxf DGBypass.tar
root@ipcop:~/DGBypass # ls -ls
4 -rw-r--r-- 1 root root 3091 2007-11-14 22:34 DGBypass.bz2
4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.bz2.md5
4 -rw-r--r-- 1 root root 144 2007-05-18 00:09 dgbypass.logrotate
20 -rw-r--r-- 1 root root 20480 2007-11-14 22:34 DGBypass.tar
4 -rw-r--r-- 1 root root 47 2007-11-14 22:34 DGBypass.tar.md5
8 -rwxr--r-- 1 root root 5527 2007-11-14 22:32 install-dgbypass.sh
root@ipcop:~/DGBypass # ./install-dgbypass.sh
Backing up existing DG Stop template... Already done
Checking archive integrity... perfect!
Extracting files... done!
Checking for DGBypass.cgi... Got it :)
Checking for denied.html... Got it :)
Checking for template.html... Got it :)
Extracted Green IP. Green IP is 192.168.2.254Modifying template.html... Green IP updated.
Modifying passwords.cgi... Green IP updated.
How many minutes do you want the bypass link to be valid for? 15
Modifying bypass time value in dansguardianf1.conf file
Already on and set to 900 seconds.
Shutting down dansguardian: [ OK ]
Starting dansguardian: [ OK ]
Modifying logrotate.conf... File already updated
Here is a quick overview of what the installer does.
/etc/logrotate.conffile to configure automatic rotation of the bypass log files.
I didn’t modify the IPCop GUI to support editing of the DGBypassPasswords.txt file, so if you want to change the passwords you will need to edit it by hand. It is located at
/home/httpd/DGBypassPasswords.txt. This is what the file looks like:
# User/Password list for DGBypass addon
# format is password,username
# note that username is NOT entered by the user, but is used for logging only
# so you would give out a password to a user and assign a username that will allow you to
# identify who is using the bypass by reviewing the log files (in /var/log/dansguardian/)
# if ident is available then this is unnecessary because the ident username will also show up
# in the log files.
Note that the passwords above are not the ones in the scripted install.
All bypass activity is logged, but again, I did not modify the GUI to view these logs. The logs are in the following location:
/var/log/dansguardian/dgbypass.log. You can edit the
/etc/logrotate.conf file to change how the log files are retained and rotated.
|<< <||> >>|