This might be slightly OT as it is not only OpenBSD specific.
I am working on improving my OpenBSD home router. I am seeking
advises/opinions with respect to Web filtering. About a year ago I
started using Privoxy as the number of ads, banners, pop-ups, and
similar junk became to much for me and Firefox (I am avoid add-ons). It
worked reasonably well and made me wonder if I can do little bit more.
Namely I realized that besides my trusted OpenBSD desktop we have bunch
of Kindles and Android tablets in our household (mostly used by kids) so
I should not be fooling myself that we are safe of viruses just because
network access is controlled by PF.
Obviously I have some familiarity with ClamAV so I started entertaining
the idea of scanning HTTP traffic for viruses either with Squid+Clamav
or with with HAPV
Of course there is a severe limitation as HTTPS traffic can't be
scanned. I know that there are some man-in-the-middle solutions that do
allow one to inspect SSL traffic as well but I am not familiar with
them. I was wondering if a kind soul could give me some suggested
Another interesting thing which is discussed in the Kernel Panic article
is DansGuardian which apparently have some ability to filter adds but
also gives me the ability to block some websites (now I am talking as a
father of two young girls). I know played little bit with DansGuardian
and Privoxy as well as DansGuardian and Squid and I can block sites but
it appears that it default blocking policy is pritty bad as it is
blocking even openbsd.org website.
Could anybody who is running DansGuardian in the production give me some
adivise on which proxy server should I use and what would be reasonable
Finally I realized that xombrero guys in their OpenBSD days created
ad-filtering proxy AdSuck. Kernel Panic is discussing also AdZapper.
Any oppinions on those two?
I am just trying to make a sense of all that info. My final goal is to:
1. strip as much as possible unwanted ads, banners, pop-ups, and
2. Scan http and possibly https for viruses (thereby protecting kids
devices as much as I can).
3. Block some websites (Facebook come first to mind).
Em 02-10-2015 16:45, Predrag Punosevac escreveu:
> 1. strip as much as possible unwanted ads, banners, pop-ups, and
> similar junk
There are tons of info regarding this. You're on the right direction
thinking of Squid, Dansguardian, etc. There is one recent addon from EFF
called Privacy Badger that deserve some mentioning. Instead of using
lists, it inspects the tracker behaviuor and blocks them if they are
bad. So, an addon has it's uses.
> 2. Scan http and possibly https for viruses (thereby protecting kids
> devices as much as I can).
You can possibly use realayd as a MITM intercepting proxy for TLS. See:
I think there was something in squid also, in that regard.
But, keep in mind that you'll need to install and maintain your CA certs
on all your devices(with varied degrees of success making all of them
work), and you'll probably need to prevent any other new device from
using the same network as yours. Also, I don't think that the sites
using pinned certs will work. I know chrome does allow usage of custom
CA's, and firefox has an option also. But that is not true for every
browser (or lib that some app might be using). To complicate things
further, there is HPKP. You can also use pflow(4) with nfsen for
detecting odd behaviour in your network, and try to catch anything that
might have passed.