- I want ACL-like features where different users and groups and subnets and times have different settings. Can DansGuardian do this?
- When will NTLM be supported?
- Who are the developers?
- Why does it use Squid?
- How much does it cost?
- Can I reverse the polarity?
- Which PICS rating services does it support?
- Does it check images for pornography?
- Is there commercial support available?
- Whats the mailing list for?
- Are you against porn or something?
- What's all this nonsense with blah at foo dot com?
- Why is DansGuardian called 'true' content filtering?
- Can DansGuardian do anti-virus filtering?
- Is DansGuardian CIPA compliant?
- After installing and running DansGuardian it does not appear to filter and/or log.
- During make install of DansGuardian it stops saying 'squid.squid: invalid user'.
- Ident no longer works in transparent proxy mode.
- During make it gives an error about zlib.h.
- When using DansGuardian, the squid logs all point to localhost as source ip.
- I get "Error connecting to test proxy"?
- When trying to set up transparent proxying, I get errors, but with the host part of the url missing.
- It's running, but not filtering.
- On my RedHat 7.1 or SuSE, with large HTML pages, it is really slow, even with my 2Ghz Athlon.
- How do I use newsyslog on OpenBSD instead of your splendid rotation script?
- Debian online installs don't work through DansGuardian, neither do some other online updates such as Norton Anti Virus
- It gives an error on startup but it does not explain what the problem is.
- Since using DansGuardian my squid ACLs no longer work.
- Have you any recommendations for use in a large scale environment?
General - Answers
1. I want ACL-like features where different users and groups and subnets and times have different settings. Can DansGuardian do this?
No*. It can switch off filtering for certain users, sites and IPs, but not varying degrees. This ability you desire is called ACLs. Nor can it block for ranges of IPs or subnets. Nor can it block by time of day. If you need this install squidGuard also.
*Actually as of version 2.7.5 it can have different filtering for groups of users but it still can't do time of day functionality nor subnets nor range of IPs.
2. When will NTLM be supported?
NTLM support requires persistent connection support to work first. The answer to the question is "when somone writes it". There are workarounds - see:
3. Who are the developers?
See the Developers page.
3. Why is it being programmed in C++ and not C?
I don't know C very much, but I know Java which is based a lot on C++. C is for kernel and drivers. C++ is for higher level programs. C++ is more modern. For a discussion on why C++, look into KDE vs Gnome arguments.
4. Why does it use Squid?
So it does not have to implement web fetching etc. It's not really a proxy - more of a filtering pass-though for squid. Why squid specifically? - because it's the best (although some prefer oops, which, incidentally, works with DansGuardian). It would work with httpd if you wanted I expect. DansGuardian is designed to be just another layer on top of a proxy, but filtering. Why have a site with web access without a cacheing proxy?
5. How much does it cost?
The licensing for DansGuardian 1 is different to the licensing for DansGuardian 2. See these two documents for licensing. Also see the Pricing page.
You must read the copyright notice if you wish to download this program.
6. Can I reverse the polarity?
You mean, make it filter out all the non pornographic, non profane sites to get to only the real hardcore - set it in reverse like. No. The thanks for this question goes to two people who shall only be named as AC and GB.
7. Which PICS rating services does it support?
It does not use .rat files, but to add extra rating services is quite simple. The ones currently supported are:
8. Does it check images for pornography?
No. To do this it could unencode the image file and scan for high percentages of skin tone. This would take a lot of processing power. It is possible and has been done by other people. I may consider adding this to my program. If anyone wants to contribute and write this bit I would be interested to hear. I'm not sure how it would work for black or asian people who have a much darker skin tone?
9. Is there commercial support available?
Yes. See the licensing and pricing pages.
10. Whats the mailing list for?
All aspects of DansGuardian. Installation help. Troubleshooting. Bug reporting. Suggestions. Offers of help. Feature requests.
11. Are you against porn or something?
No. I am pro-free speech. I am anti-censorship. I am pro-classification. Nothing should be banned totally - ever. Everything should be classified so only what is appropriate can be viewed. I do not just mean web pages. I mean everything. DansGuardian applies classification where needed to web pages. An adult individual at home has every right to read, view and say what ever they want. A child in a school or library does not have this right. This is what I think. If you disagree - great; everyone is entitled to their own opinion.
12. What's all this nonsense with blah at foo dot com?
It's to reduce spam. Most email harvesters seem to be trawling the web now rather than news groups. They look for firstname.lastname@example.org and then sell the address to companies that send out all that annoying bulk email. If you disagree, then disagree with freshmeat.net who also do it.
13. Why is DansGuardian called 'true' content filtering?
DansGuardian actually filters the content of web pages and requests by phraselist as well as others. Most commercial (not IGear) web filters call themselves content filters when they are not - they are just glorified URL filters. They are pointless, especially when one has access to the free and brilliant squidGuard. They are lieing through their teeth. People who don't realise this waste a lot of money on them.
14. Can DansGuardian do anti-virus filtering?
Versions 2.8 and eariler can not without applying or using the DGAV patch. Version 2.9 and later will have this feature as standard.
15. Is DansGuardian CIPA compliant?
Becoming CIPA compliant is a multi-step procedure that involves creating
written policies, having open meetings for public input, technology planning
and applying a technology protection measure. DansGuardian meets all of the
requirements necessary for implementing a technology protection measure. If a school/library only installed DansGuardian and did none of the other
steps, they would not be CIPA compliant, so technically, software cannot be
labeled CIPA compliant. Legally, it is a significant distinction.(Written by Tamara Georgick, Technology and Training Consultant, Washington State Library). Also see this message on the subject.
Installation and Problem - Answers
1. After installing and running DansGuardian it does not appear to filter and/or log.
Last time I heard that a squid -k reconfigure fixed it. Configure your client browser with the http proxy address to be the ip of the linux running DG with port 8080. Also don't forget you need to stop and start DG every time you edit the conf and list files. Also don't forget that the browser will cache pages without fetching and so being filtered. You need to flush the caches and force reloads.
If it's not logging, check that your ip address is not in the ipexceptionlist file in /etc/dansguardian. Some versions ship with some example ips such as 192.168.0.1.
2. During make install of DansGuardian it stops saying 'squid.squid: invalid user'.
You haven't created the squid user or group. You'll need to create the user and group, then change your squid.conf to reflect the new user and group that it should run as. I would probably suggest starting with the Squid FAQ at http://www.squid-cache.org, or read the HOWTOs.
3. Ident no longer works in transparent proxy mode.
See this page: http://groups.yahoo.com/group/dansguardian/message/885
4. During make it gives an error about zlib.h.
See this page: http://groups.yahoo.com/group/dansguardian/message/1136
If it's Debian, you need to install zlib1g-dev.
Configuration/Usage - Answers
1. When using DansGuardian, the squid logs all point to localhost as source ip.
That is correct. The source ip of the request to squid is localhost as it is DansGuardian making the request which is running locally on the server. In order to monitor which ip is going where you need to look at the DansGuardian logs which are in /var/log/dansguardian. It might be worth pointing out that the format of the DansGuardian log is not the same as squid, however a small perl script could be written to convert it to very similar.
However, DansGuardian 2 supports (can add) the X-Forwarded-For header entry that squid can add. But squid does not support it itself. See http://groups.yahoo.com/group/dansguardian/message/630 near the bottom of the page. There is a patch available for squid to allow it to use the X-Forwarded-For entry so you don't lose the squid ACLs.
2. I get "Error connecting to test proxy"?
3. When trying to set up transparent proxying, I get errors, but with the host part of the url missing.
Most likely it is a problem with your proxy. But this question is more of a (insert proxy name) issue than a DansGuardian issue. However this is a FAQ after all!
You could do with reading some of the HOWTOs as well.
4. It's running, but not filtering.
Check the /etc/dansguardian/exceptioniplist file. Check the proxy settings in your browser - they should be pointing at the port DansGuardian is listening on. Check the accessdeniedaddress is correct.
5. On my RedHat 7.1 or SuSE, with large HTML pages, it is really slow, even with my 2Ghz Athlon.
With the current version of RedHat 7.1, there is a bug in the regexec() in the glibc. This is not a bug in DansGuardian, but a bug with the glibc in RedHat 7.1. This bug does not occur in RedHat 6.2 or 7.0. or 7.2
The solution (upgrading glibc) is detailed below:
A version of glibc on RedHat 7.1 that is known to work is 2.2.3-14.
- Go to ftp://rawhide.redhat.com/pub/redhat/linux/rawhide/ (or use updates.redhat.com and download glibc updates for 7.1)
- Check your glibc libs (rpm -qa | grep glibc)
- Get newest glibc rpms (glibc, glibc-devel and glibc-common)
- Enter in single user mode just to be safe ('linux single' at lilo:)
- Do a normal rpm -Fvh with each glibc rpm (you may need a --nodeps as well)
A word of warning from Craig:
The rpm xxxx --nodeps will work most of the time.. Depending upon the dependant packages that the package that you are installing does not require a certain version. You will want to verify the files, as rpm lists them (at least in RedHat). Some packages when run with --nodeps will break other packages installed.
A word of warning from Sergey:
This may break samba.
6. How do I use newsyslog on OpenBSD instead of your splendid rotation script?
If rotating DG logs with newsyslog, you have to configure newsyslog
like this (in /etc/newsyslog.conf):
/var/log/dansguardian/access.log nobody.nobody 644 7 * 24 Z \
"/usr/local/etc/rc.d/dansguardian.sh stop && \
Important things are:
- New access.log will have both UID and GUID set to "nobody".
Default is "root", which prevents DG from writing to the log, meaning
that DG won't start after log rotation.
- DG will be restarted after rotating the log. If this is not
done, DG runs ok but won't log anything after log rotation occurs.
Other options mean:
- New access.log will have permissions set to 644.
- Keep 7 latest logfiles in archive.
- Don't care about size of the log file.
- Rotate log every 24 hours.
- Compress archived logfiles.
7. Debian online installs don't work through DansGuardian, neither do some other online updates such as Norton Anti Virus
This is caused by the Debian servers labelling their files as text with a gzip stream. The solution is to put their servers in the exceptionsitelist. Or check the logs and see which server is being blocked and put that in the
8. It gives an error on startup but it does not explain what the problem is.
DansGuardian is actually quite detailed at reporting errors, however, to see them try starting it from the command line with the single command 'dansguardian'. It will tell you which file and where the problem is.
9. Since using DansGuardian my squid ACLs no longer work.
That is correct. The source ip of the request to squid is localhost as it is DansGuardian making the request which is running locally on the server. There are two solutions. One is to put squid in front of DansGuardian and have DansGuardian use an uprstream proxy such as the ISPs. The other is to install the patch available to make squid use the X-Forwarded-For entry from DansGuardian which would make the ACLs work again.
10. Have you any recommendations for use in a large scale environment?
Have a look at this message and its thread: http://groups.yahoo.com/group/dansguardian/message/3231.
Page last modified: 27 February 2005 18:38:00