Installing & Configuring UFDBGuard
And finally we need to install & Configure UFDBGuard.
First, we need to get the source for UFDBGuard (There is a .deb package if you prefer, but I prefer compiling it myself). CD to your home directory cd ~ where the build folder from our squid installation is located.
And then cd into Build. The run wget as in the picture above.
Extract the package after it’s been downloaded.
We also need to install some dependencies.
Then cd into the extracted source directory.
Run ./configure
Once that is done, run make && make install
And that’s the installation done. Now for configuration.
Firstly, let’s rename the default config file, and open a
new file as the config file – since we’ll be using the one I’ll be providing.
Paste the contents below – changing details to match your
environment, into that file and save & exit.
# Email for handling unblock requests administrator “<a href=%22 mailto:admin@domain.com %22> Log
dbhome “/usr/local/ufdbguard/blacklists” logdir “/usr/local/ufdbguard/logs” logblock on logpass off logall off squid-version “4.0” squid-uses-active-bumping on url-lookup-result-during-database-reload allow url-lookup-result-when-fatal-error allow analyse-uncategorised-urls off ufdb-log-url-details off ufdb-show-url-details off check-proxy-tunnels off safe-search off youtube-edufilter off youtube-edufilter-id “ABCD1234567890abcdef” max-logfile-size 200000000 redirect-https “” #http-server { port = 8081, interface = all, images = external-status-command “/usr/local/bin/mailx” mail-server “mailserver.mydomain.com” admin-email “admin@mydomain.com”
# Define the network that contain computer systems that need URL
source AllSystems {
# define the security category category security { # domainlist “security/domains” # expressionlist “security/expressions” # cacerts “security/cacerts” option enforce-https-with-hostname off option enforce-https-official-certificate off option https-prohibit-insecure-sslv2 on option allow-aim-over-https on option allow-gtalk-over-https on option allow-skype-over-https on option allow-yahoomsg-over-https on option allow-fb-chat-over-https on option allow-citrixonline-over-https on option allow-unknown-protocol-over-https on redirect }
category safesearch-on { option safe-search on }
category safesearch-off { option safe-search off }
category alwaysallow { domainlist alwaysallow/domains redirect }
category alwaysblock { domainlist alwaysblock/domains redirect “” }
category ads { domainlist “ads/domains” # Email for handling redirect “” }
category porn { domainlist “adult/domains” redirect }
category arjel { domainlist “arjel/domains” redirect “” }
category astrology { domainlist “astrology/domains” redirect “” }
category audiovideo { domainlist “audio-video/domains” redirect “” }
category bank { domainlist “bank/domains” redirect }
category blog { domainlist “blog/domains” redirect }
category celebrity { domainlist “celebrity/domains” redirect } category chat { domainlist “chat/domains” redirect }
category child { domainlist “child/domains” redirect }
category cleaning { domainlist “cleaning/domains” redirect }
category cooking { domainlist “cooking/domains” redirect }
category dangermat { domainlist “dangermat/domains” redirect }
category dating { domainlist “dating/domains” redirect }
category drugs { domainlist “drugs/domains” redirect }
category filehosting { domainlist “filehosting/domains” redirect “” }
category financial { domainlist “financial/domains” redirect “” }
category forums { domainlist “forums/domains” redirect “” }
category gambling { domainlist “gambling/domains” redirect }
category games { domainlist “games/domains” redirect “” }
category hacking { domainlist “hacking/domains” redirect “” }
category jobsearch { domainlist “jobsearch/domains” redirect “” }
category lingerie { domainlist “lingerie/domains” redirect }
category liste_bu { domainlist “liste_bu/domains” redirect }
category malware { domainlist “malware/domains” redirect }
category manga { domainlist “manga/domains” redirect }
category marketingware { domainlist “marketingware/domains” redirect }
category mixed_adult { domainlist “mixed_adult/domains” redirect }
category mobile-phone { domainlist “mobile-phone/domains” redirect }
category phishing { domainlist “phishing/domains” redirect }
category press { domainlist “press/domains” redirect }
category proxy { domainlist “proxy/domains” redirect }
category radio { domainlist “radio/domains” redirect }
category reaffected { domainlist “reaffected/domains” redirect }
category remote-control { domainlist “remote-control/domains” redirect }
category sect { domainlist “sect/domains” redirect “” }
category sex_ed { domainlist “sex_ed/domains” redirect “” }
category shopping { domainlist “shopping/domains” redirect “” }
category social_networks { domainlist “social_networks/domains” redirect }
category sports { domainlist “sports/domains” redirect }
category strict_redir { domainlist “strict_redir/domains” redirect }
category strong_redir { domainlist “strong_redir/domains” redirect }
category tricheur { domainlist “tricheur/domains” redirect }
category warez { domainlist “warez/domains” redirect }
category webmail { domainlist “webmail/domains” redirect }
# define web content access rights, Put a questionmark in front of acl {
AllSystems {
pass safesearch-on alwaysallow !alwaysblock !ads !porn !arjel !astrology !celebrity !child !cooking !dangermat !dating !drugs !gambling games !hacking !jobsearch !lingerie !malware !manga !marketingware !mixed_adult !mobile-phone !phishing proxy !reaffected !social_networks !remote-control !sex_ed !sports !strict_redir !strong_redir audiovideo bank blog chat cleaning filehosting financial }
### the next acl is a mandatory fallback for all other cases. ### do NOT remove this ACL.
default { pass !ads !porn !arjel !astrology !celebrity !child !cooking !dangermat !dating !drugs !gambling !games !hacking !jobsearch !lingerie !malware !manga !mixed_adult !mobile-phone !phishing !proxy !reaffected !remote-control !sex_ed !sports !strict_redir !strong_redir !tricheur !warez audiovideo bank blog chat cleaning filehosting financial redirect }
} |
Next up, we need to create our Exceptions directories and
files. First change directory – cd /usr/local/ufdbguard.These are
for any exceptions to the blacklists we’ll be using. So for example, facebook
is part of the social networks category, and we want to block that, but only
allow facebook, we’d put facebook.com (as typed there), in the
alwaysallow/domains file.
Next, create a new directory for 2 scripts we need to
create, you can create it anywhere.
The first script converts & imports our exception
blacklists to ufdbguard’s blacklist format, then restarts ufdbguard to apply
the changes.
Type out the above & save & exit
Then make the script executable.
The second script downloads our squidguard blacklists &
does the same for them.
Type out the above & save and exit.
Then make the script executable.
Then execute the script.
Next we need to enable ufdbguard during system startup.
And finally, we need to copy our block page CGI script to
the /var/www/cgi-bin directory. This is the page that is displayed when a
website is blocked.
Now reboot. At this point you can change your DHCP server
settings to dish out the Proxy server as your Default Gateway – instead of your
Firewall / Router.
And we’re done!
Now for some testing.
No Comments Yet