Web Filtering with the Blowfish

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Web Filtering with the Blowfish

Predrag Punosevac-2
Hi Misc,

This might be slightly OT as it is not only OpenBSD specific.

I am working on improving my OpenBSD home router. I am seeking
advises/opinions with respect to Web filtering. About a year ago I
started using Privoxy as the number of ads, banners, pop-ups, and
similar junk became to much for me and Firefox (I am avoid add-ons). It
worked reasonably well and made me wonder if I can do little bit more.
Namely I realized that besides my trusted OpenBSD desktop we have bunch
of Kindles and Android tablets in our household (mostly used by kids) so
I should not be fooling myself that we are safe of viruses just because
network access is controlled by PF.

Obviously I have some familiarity with ClamAV so I started entertaining
the idea of scanning HTTP traffic for viruses either with Squid+Clamav
or with with HAPV

http://www.server-side.de/

I also read wonderful article

http://www.kernel-panic.it/openbsd/proxy/

Of course there is a severe limitation as HTTPS traffic can't be
scanned.  I know that there are some man-in-the-middle solutions that do
allow one to inspect SSL traffic as well but I am not familiar with
them.  I was wondering if a kind soul could give me some suggested
readings.

Another interesting thing which is discussed in the Kernel Panic article
is DansGuardian which apparently have some ability to filter adds but
also gives me the ability to block some websites (now I am talking as a
father of two young girls). I know played little bit with DansGuardian
and Privoxy as well as DansGuardian and Squid and I can block sites but
it appears that it default blocking policy is pritty bad as it is
blocking even openbsd.org website.

Could anybody who is running DansGuardian in the production give me some
adivise on which proxy server should I use and what would be reasonable
starting configuration?

Finally I realized that xombrero guys in their OpenBSD days created
ad-filtering proxy AdSuck. Kernel Panic is discussing also AdZapper.
Any oppinions on those two?


I am just trying to make a sense of all that info. My final goal is to:

 1. strip as much as possible unwanted ads, banners, pop-ups, and
 similar junk

 2. Scan http and possibly https for viruses (thereby protecting kids
 devices as much as I can).

 3. Block some websites (Facebook come first to mind).

Thank you for your advise.

Predrag

Reply | Threaded
Open this post in threaded view
|

Re: Web Filtering with the Blowfish

Giancarlo Razzolini-3
Em 02-10-2015 16:45, Predrag Punosevac escreveu:
> 1. strip as much as possible unwanted ads, banners, pop-ups, and
>  similar junk

There are tons of info regarding this. You're on the right direction
thinking of Squid, Dansguardian, etc. There is one recent addon from EFF
called Privacy Badger that deserve some mentioning. Instead of using
lists, it inspects the tracker behaviuor and blocks them if they are
bad. So, an addon has it's uses.

>
>  2. Scan http and possibly https for viruses (thereby protecting kids
>  devices as much as I can).

You can possibly use realayd as a MITM intercepting proxy for TLS. See:

http://www.reykfloeter.com/post/41814177050/relayd-ssl-interception

http://www.openbsd.org/papers/relayd-asiabsdcon2013.pdf

I think there was something in squid also, in that regard.

But, keep in mind that you'll need to install and maintain your CA certs
on all your devices(with varied degrees of success making all of them
work), and you'll probably need to prevent any other new device from
using the same network as yours. Also, I don't think that the sites
using pinned certs will work. I know chrome does allow usage of custom
CA's, and firefox has an option also. But that is not true for every
browser (or lib that some app might be using). To complicate things
further, there is HPKP. You can also use pflow(4) with nfsen for
detecting odd behaviour in your network, and try to catch anything that
might have passed.

Cheers,
Giancarlo Razzolini

Reply | Threaded
Open this post in threaded view
|

Re: Web Filtering with the Blowfish

Stefan Wollny-2
In reply to this post by Predrag Punosevac-2
Am 10/02/15 um 21:45 schrieb Predrag Punosevac:

>
>  3. Block some websites (Facebook come first to mind).
>
> Thank you for your advise.
>
> Predrag
>

Hi Predrag,

I have raised that question 2 years ago and received some pretty helpful
information from the kind people here.

I started with this thread:
http://thread.gmane.org/gmane.os.openbsd.misc/207960/focus=208000

But as at first I didn't get it right I came up with a second thread:
http://thread.gmane.org/gmane.os.openbsd.misc/208048/focus=208061

If you would like to make some experiments with relayd I would like to
point your interest to Chris Cappuccio's comment and write-up:
http://thread.gmane.org/gmane.os.openbsd.misc/208048/focus=208061
http://www.nmedia.net/chris/url.blacklist.txt

Very smart! (Thank's again, Chris!)

Hope that get's you started.

Best,
STEFAN