From owner-freebsd-questions Wed Jul 25 0:32:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from c017.sfo.cp.net (c017-h004.c017.sfo.cp.net [209.228.12.218]) by hub.freebsd.org (Postfix) with SMTP id 0634437B405 for ; Wed, 25 Jul 2001 00:32:13 -0700 (PDT) (envelope-from noackjr@compgeek.com) Received: (cpmta 12414 invoked from network); 25 Jul 2001 00:32:04 -0700 Date: 25 Jul 2001 00:32:04 -0700 Message-ID: <20010725073204.12413.cpmta@c017.sfo.cp.net> X-Sent: 25 Jul 2001 07:32:04 GMT Received: from [66.136.20.104] by mail.compgeek.com with HTTP; 25 Jul 2001 00:32:04 PDT Content-Type: text/plain Content-Disposition: inline Mime-Version: 1.0 To: clay@tycksen.com From: Jon Noack Cc: freebsd-questions@FreeBSD.org X-Mailer: Web Mail 3.9.3.5 Subject: Re: freebsd box as a porn filter? X-Sent-From: noackjr@compgeek.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>>> Clayton Tycksen writes: >>>> >>>> Dear FreeBSD, >>>> >>>> I'm relatively new to Unix. A good friend of mine has converted me >>>> to FreeBSD, and I'm enjoying it. >>>> I do have a question- as the administrator of a small network, I'm >>>> wondering if it's possible to set up FreeBSD on a box and have it >>>> perform filtering of pornography. I realise that I can set up a >>>> FreeBSD box to perform packet filtering (although I still need to >>>> figure out how to do that, exactly). But I'd like to prohibit nodes >>>> on our network from viewing pornographic material, and a few other >>>> general websites. I do not have an external 'router' per se - We >>>> have an ISDN connection to our ISP (which does not provide filtering). >>>> >>>> I've looked at available hardware designed specifically for spam and >>>> porn filtering for networks, but the price of the hardware is too >>>> high for my small network of 15 nodes and 2 servers. > > Bill Moran writes: > > You know, I wasn't paying much attention to this thread, but the > solution is very simple. I've seen one client do it and it works fine. > First, establish a written policy that work computers are for work, > period. And establish a written policy for punishments for viewing > potentially offensive material on company computers. This leaves nothing > to be questioned. Then put up a squid proxy (which is a good idea > anyway, for the sake of optimizing your existing bandwidth) and make it > public that you're logging *everything* that people do on their > computers, in compliance with the written policy. Then, after a month > or so, do a text search through the logs for words like "porn", "sex", > etc. Track down the IPs of who did it, and deal with them in accordance > to the written policy. We only had to approach 1 person, after that, > word got out that the policy was serious and we haven't seen anything in > the logs since. It takes a very short amount of time to check the logs > each month, and even less time if there are no violations. As a unix geek who helps out a private high school over the summer, I have also had the "pleasure" of dealing with content filtering. The school I work for has a written user agreement outlining expectations as well as punishments (e.g. loss of internet access, loss of computing privileges, etc.) in addition to a content filter. The content filtering solution we pursued was a firewall w/ content filtering (available as an option) from SonicWall. We have about a $60,000/year budget so the $1500 cost of the firewall (we needed one anyway) and the $600/year content filtering subscription was not a big deal. We had looked into SquidGuard, but my boss (a windows guy) did not want to worry about (A) working on a unix system and (B) having to update the list of blocked servers. With the content filtering subscription, we get automatic weekly updates of the CyberPatrol CyberNot list and can block many different categories of sites we deem inappropriate. Our only goal with this filtering was to prevent 90% of our users from even trying to surf porn and scare away 90% of those who do try to surf porn with a rather emphatic "blocked" page (i.e. "THIS INCIDENT HAS BEEN LOGGED."). The other 1% (total) will eventually get caught (by filter logs or by an actual person) and punished. The filtering covers us from possible lawsuits by parents irate that their spoiled children saw something they shouldn't have seen, as we have taken measures to prevent such activity. The user agreement also requires a parent signature if the student is not an adult (under 18 years old). These measures completely shield us from legal action. We state we will try to provide teacher supervision at all times, but this is not always possible. The punishments range from a warning to expulsion for students. Our faculty and staff sign a similar user agreement and face punishments ranging from a warning to getting fired. The punishment level is based on severity as well as whether there were any previous offenses. Probably the most important step we have taken is being very formal and clear about the user agreement, the content filtering, and that WE LOG EVERYTHING. This will scare away >99% of your users and catch the remaining <1%. If you are very organized and communicate well with the students and parents, most of your problems go away... Jon Noack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message