I second that. I have on the gateway box (OpenBSD):
- Squid with ad-zapper.
- I then have dansguardian running as well in front of squid.
Initially I used PF to transparent proxy the setup, so all users in the
internal network had their traffic pass through dansguardian/squid. But then
I got the same level of filtering as the younger users of the internet
connection.
In the end I setup squid to use basic authentication.
I then use dansguardian to recognise the basic authentication and users are
placed into two groups.
So now certain users (less than 18) get filtered and other users still get
the caching/ad-zapping goodness but dansguardian lets them through.
PF blocks all http/https traffic requests from the internal network, and
only allows proxy connections on port 8080 (where dansguardian is listening
in my case).
I also have an an internal only listening apache vhost which has a proxy.pac
on it. This way all I need to do is add http://gateway.ip/proxy.pac to
whatever browser the internal client devices use.
It's a lot easier to setup if your OpenBSD gateway is also running
squid/dans, well for a small site anyway (< ~10 users).
You can even use this to have younger kids have one level of filtering, and
older kids on a higher dansguardian "naughtiness level".
I've been using it for 8 years now, so I have it fairly stable. Happy to
take any off list questions on what/how/why.
--
Ted
- I could
