DansGuardian Documentation Wiki

You are here: Main Index » faq


|

Wiki Information

Differences

This shows you the differences between the selected revision and the current version of the page.

faq 2010/01/23 12:00 faq 2010/10/22 16:50 current
Line 19: Line 19:
\\ \\
- 
==== Complaint FAQ ==== ==== Complaint FAQ ====
Line 37: Line 36:
  - Your ISP has applied strict filtering to your web access, likely because some child filtering you requested was applied to the wrong connection or at the wrong time or behaves differently than you expected.   - Your ISP has applied strict filtering to your web access, likely because some child filtering you requested was applied to the wrong connection or at the wrong time or behaves differently than you expected.
  - If you're using a school or work network, the network is tightening its restrictions. Find out the new policy. And discuss the specifics of your problem with your network administrator, as this specific block may be just a technical mistake.   - If you're using a school or work network, the network is tightening its restrictions. Find out the new policy. And discuss the specifics of your problem with your network administrator, as this specific block may be just a technical mistake.
-  - Your new computer (or new software distribution) by default runs DansGuardian locally  ...although you may not have realized it. +  - Assuming it's Linux/Unix-based (but //not// Windows-based), your new computer (or new software distribution) by default runs DansGuardian locally  ...although you may not have realized it.
**//Complaint#3. My web browsing was interrupted by a display that said "If you have any queries contact your ICT Coordinator or Network Manager." So I clicked on the nearest link, which brought me here. Can you help?//** \\ You will need to contact your web filter administrator, perhaps by some offline method such as telephone. **//Complaint#3. My web browsing was interrupted by a display that said "If you have any queries contact your ICT Coordinator or Network Manager." So I clicked on the nearest link, which brought me here. Can you help?//** \\ You will need to contact your web filter administrator, perhaps by some offline method such as telephone.
Line 149: Line 148:
**//General#5. Why does DansGuardian use some other backend proxy (Squid, Oops!, Tinyproxy, etc.)?//** \\ So DansGuardian does not have to re-implement web fetching, network timeouts, retrying, caching, password checking, etc. (The DansGuardian half of a DansGuardian/backend-proxy system is not really a proxy itself, it's more of a filtering pass-though.) **//General#5. Why does DansGuardian use some other backend proxy (Squid, Oops!, Tinyproxy, etc.)?//** \\ So DansGuardian does not have to re-implement web fetching, network timeouts, retrying, caching, password checking, etc. (The DansGuardian half of a DansGuardian/backend-proxy system is not really a proxy itself, it's more of a filtering pass-though.)
-**//General#5b. Why is DansGuardian usually combined with Squid?//** \\ Squid seems to be the premier all-around OSS backend proxy for networks. +**//General#5b. Why is DansGuardian usually combined with Squid?//** \\ Squid seems to be the premier all-around OSS backend proxy for whole networks.
Also, where web access is important enough to add filtering, speed is important too, Also, where web access is important enough to add filtering, speed is important too,
so a caching backend proxy should be used. Squid fills the bill for a fast caching proxy. so a caching backend proxy should be used. Squid fills the bill for a fast caching proxy.
 +
 +(The relatively heavyweight Squid is most appropriate for use in filtering an entire network of computers [and for providing assistance with some Auth schemes]. For single-computer or single-user applications, marrying DansGuardian with some other backend proxy [Tinyproxy? Oops!?] may be more appropriate, for example providing  better perceived performance.)
**//General#6. How much does DansGuardian cost?//** \\ The [[http://dansguardian.org/?page=copyright|licensing for DansGuardian 1]] is different from the [[http://dansguardian.org/?page=copyright2|licensing for DansGuardian 2]]. See these two documents for licensing. Also see the [[http://dansguardian.org?page=pricing|Pricing page]]. **//General#6. How much does DansGuardian cost?//** \\ The [[http://dansguardian.org/?page=copyright|licensing for DansGuardian 1]] is different from the [[http://dansguardian.org/?page=copyright2|licensing for DansGuardian 2]]. See these two documents for licensing. Also see the [[http://dansguardian.org?page=pricing|Pricing page]].
Line 194: Line 195:
DansGuardian actually scans its content word by word against the configured phraselists. Some commercial web filters call themselves content filters when they are not - they are just glorified URL filters. They are lying through their teeth. People who don't realise this waste a lot of money on them. DansGuardian actually scans its content word by word against the configured phraselists. Some commercial web filters call themselves content filters when they are not - they are just glorified URL filters. They are lying through their teeth. People who don't realise this waste a lot of money on them.
-**//General#15. Can DansGuardian do anti-virus filtering?//** \\ Yes. A standard feature in version 2.10 allows anti-virus checkers (and other content scanners) to be incorporated into DansGuardian. (Versions 2.8 and earlier required "the DGAV patch" to do anti-virus scanning. No patch nor special build or distribution is needed to use anti-virus scanning with version 2.10.)+**//General#15. Can DansGuardian do anti-virus filtering?//** \\ Yes. A standard feature in version 2.10 allows anti-virus checkers (and other content scanners) to be incorporated into DansGuardian. (Versions 2.8 and earlier required "the DGAV patch" to do anti-virus scanning. No patch nor special build or distribution is needed to use anti-virus scanning with version [2.9]2.10.)
**//General#15b. Are infected files quarantined or deleted?//** \\ With the newer method of incorporating anti-virus checking as an external scan (clamdscan), **//General#15b. Are infected files quarantined or deleted?//** \\ With the newer method of incorporating anti-virus checking as an external scan (clamdscan),
whether or not infected files are copied to quarantine is controlled by whether or not infected files are copied to quarantine is controlled by
the configuration of the anti-virus scanning tool, the configuration of the anti-virus scanning tool,
-not by DansGuardian. (With the DGAV patch and with the older integral [linked in ClamAV] method of including anti-virus checking, +not by DansGuardian. (With the DGAV patch and with the older integral [clamav with linked in ClamAV] method of including anti-virus checking,
infected files were deleted.) infected files were deleted.)
Line 270: Line 271:
although doing this is not so common.) although doing this is not so common.)
-**//General#21. I want my web filter to behave differently at different times of day. Can DansGuardian do this?//** \\ Yes, any list file of filter restrictions can be made active only at certain times of day simply by specifying times within that file itself. Comments within each list configuration file provide a guide for adding time of day restrictions to that particular file. (Note this method may not be suitable for changes to items in a //conf// file, and may not be the best way to handle massive changes affecting many list files simultaneously.)+**//General#21. I want my web filter to behave differently at different times of day. Can DansGuardian do this?//** \\ Yes, the simplest way to have the filter behave differently at different times of day is to use the time limiting syntax inside most //list// files. This method does not require restarting DansGuardian at all  ...not even a "soft" restart with\ <color #351>-g</color>. Specifying times inside most list files will allow those files of filter restrictions to be made active only at certain times of day. Comments within most list configuration files provide a guide for adding time of day restrictions to that particular file. (If there are no comments about time limiting syntax inside a specific file, the behavior is not supported for that particular file.)  
 + 
 +The time limiting syntax within a file is applied to __all__ items in that file; there is no syntax for limiting individual items. So the conventional procedure is to add <color #351>.Include</color> statements to a list file which point at newly created additional list files which each contain their own time limits. For example, two newly created list files might be one for "sites that are always banned" and another for "sites that are banned only during business hours". (The former contents of the existing base list file are usually distributed into the new list files.) 
 + 
 +(Note this method may not be suitable for changes to items in a //conf// file, may not work for more than one time block per day, and may not be the best way to handle massive changes affecting many list files simultaneously. See the items below for other alternatives.)
**//General#21b. I want to use different list files (not just turn them on or off) at different times of day. How can I do this?//** \\ One option is to use DansGuardian's <color #351>.Include</color> to split a list into more than one file. Then use clever settings of the "time" instructions within each file to enable one or the other (or both or neither) at different times of day. **//General#21b. I want to use different list files (not just turn them on or off) at different times of day. How can I do this?//** \\ One option is to use DansGuardian's <color #351>.Include</color> to split a list into more than one file. Then use clever settings of the "time" instructions within each file to enable one or the other (or both or neither) at different times of day.
-A second option is to set up a 'cron' job (one launched automatically at a certain time of day) to stop DansGuardian, then restart it with a different configuration that points at different list files. Use the  <color #351>-c\ ...</color>  option to point DansGuardian at a different configuration (rather than the default one). (You may need to figure out how to specify options such as <color #351>-c\ ...</color> through whatever mechanism your distribution uses to start services [daemons].)+A second option is to have the conf file point at a symbolic link which OS tools (rm\ ..., ln\ -s\ ..., etc.) manipulate before restarting DansGuardian. The symlink change is generally performed as part of a 'cron' job (one launched automatically at a certain time of day) that both changes configuration and restarts DansGuardian.  
 + 
 +(A 'cron' job can also restart DansGuardian with a different configuration altogether, one that points at different list files. Use the  <color #351>-c\ ...</color>  option to point DansGuardian at a different configuration [rather than the default one]. [For this option you may need to figure out how to specify options such as <color #351>-c\ ...</color> through whatever mechanism your distribution uses to start services (daemons).])
The major factor in choosing which mechanism to use is your own comfort level. Some administrators find 'cron' jobs drop-dead simple, while other administrators are allergic to 'cron' jobs and much prefer the convenience of time-of-day instructions inside DansGuardian list files. The major factor in choosing which mechanism to use is your own comfort level. Some administrators find 'cron' jobs drop-dead simple, while other administrators are allergic to 'cron' jobs and much prefer the convenience of time-of-day instructions inside DansGuardian list files.
Line 402: Line 409:
Although DansGuardian can also be used on a single system to filter web content for just that one system, it's commonly used for filtering web content for an entire network with many systems and many (visiting) users. In the whole-network context, the concept of time-per-user is less relevant. Although DansGuardian can also be used on a single system to filter web content for just that one system, it's commonly used for filtering web content for an entire network with many systems and many (visiting) users. In the whole-network context, the concept of time-per-user is less relevant.
 +**//General#31. Which languages and character encodings does DansGuardian support?//** \\ DansGuardian is capable of supporting __all__ alphabets, languages, and character encodings equally. Its processing is of simple sequences of raw bytes; it remains ignorant of the actual alphabet and/or language and/or encoding used by either any particular web page or any particular phrase configuration file.
 +
 +(Note although many users choose to not go beyond the generic "default" phraselists, DansGuardian functionality is //not// limited to them. Currently the generic "default" phraselists are skewed toward a Roman alphabet, the English language, and a Latin1-style character encoding.)
 +
 +Configuration may involve uncommon text editor functionality, incorrect or abbreviated displays, additional //.Include// statements, character encoding translation programs, environment settings, and the system default locale setting. You should thoroughly understand DansGnardian operation --in particular its interactions with language and encoding-- before attempting to extend the configuration to new web environment.
==== Installation and Problem FAQ ==== ==== Installation and Problem FAQ ====
Line 415: Line 427:
**//Installation#2. Why doesn't the Ident method of authentication for multiple filter groups seem to work in transparent-intercepting configurations?//** \\ Ident authentication __//does//__ work in both explicit-proxy and transparent-intercepting configurations. Ident authentication can sometimes be a bit tricky to install and configure, and so contribute to the impression that it simply doesn't work. For example, even one internal network infrastructure component that doesn't pass network traffic via port 113 can cripple Ident authentication. If you're having trouble with Ident authentication, it may help to look at [[http://contentfilter.futuragts.com/wiki/doku.php?id=using_ident_for_user_identification" target="_blank|the Ident instructions in the doc wiki]] or [[http://groups.yahoo.com/group/dansguardian/message/885|posting #885]] in the mailing list archives. **//Installation#2. Why doesn't the Ident method of authentication for multiple filter groups seem to work in transparent-intercepting configurations?//** \\ Ident authentication __//does//__ work in both explicit-proxy and transparent-intercepting configurations. Ident authentication can sometimes be a bit tricky to install and configure, and so contribute to the impression that it simply doesn't work. For example, even one internal network infrastructure component that doesn't pass network traffic via port 113 can cripple Ident authentication. If you're having trouble with Ident authentication, it may help to look at [[http://contentfilter.futuragts.com/wiki/doku.php?id=using_ident_for_user_identification" target="_blank|the Ident instructions in the doc wiki]] or [[http://groups.yahoo.com/group/dansguardian/message/885|posting #885]] in the mailing list archives.
-**//Installation#2b. Why do my web users experience very long delays when I try to use the Ident method of authentication?//** \\ In order to successfully use the Ident method of authentication, your entire internal network __must__ pass port 113 traffic. Commonly the default configuration of firewall software on each individual computer causes a problem; in particular the firewall built into Windows by default blocks port 113 traffic to the local computer. Port 113 __must__ be opened in every local firewall in order for you to use the Ident method of authentication successfully. +**//Installation#2b. Why do my web users experience very long delays and/or get mis-assigned to the default filter group when I try to use the Ident method of authentication?//** \\ In order to successfully use the Ident method of authentication, your entire internal network __must__ pass port 113 traffic. Commonly the default configuration of firewall software on each individual computer causes a problem; in particular the firewall built into Windows by default blocks port 113 traffic to the local computer. Port 113 __must__ be opened in every local firewall in order for you to use the Ident method of authentication successfully. (You may also need to open port 113 in your network infrastructure devices, especially "routers".)
**//Installation#3. retired//** **//Installation#3. retired//**
Line 660: Line 672:
**//Installation#21. Which Kaspersky anti-virus package do I need for the "kavd" contentscanner?  And what should I do after I've attempted to install Kasperky A-V but just get the message "'cannot perform virus scan"?//** \\ The <color #351>aveserver</color> program the "kavd" content scanner uses may have been moved to the 'kav4mailserver' package. Furthermore, the license terms provided by Kaspersky may no longer sanction its use for this purpose. **//Installation#21. Which Kaspersky anti-virus package do I need for the "kavd" contentscanner?  And what should I do after I've attempted to install Kasperky A-V but just get the message "'cannot perform virus scan"?//** \\ The <color #351>aveserver</color> program the "kavd" content scanner uses may have been moved to the 'kav4mailserver' package. Furthermore, the license terms provided by Kaspersky may no longer sanction its use for this purpose.
-To use Kaspersky anti-virus with DansGuardian, use the ICAP server and the "icap" contentscanner instead. +To use Kaspersky anti-virus with DansGuardian, use the ICAP server and the "icap" contentscanner configuration instead.
-//**Installation#22. Which "contentscanner" option should I use with Clam Anti-Virus?**// \\ Use the //second// option, the one that references 'clamdscan.conf', which says 'plugname=clamdscan'. The 'clamdscan' option guarantees there will never be any sort of version dependency between DansGuardian and ClamAV. +//**Installation#22. Which "contentscanner" option should I use with Clam Anti-Virus?**// \\ Use the //second// option, the one that references 'clamdscan.conf', which says 'plugname=clamdscan'. The 'clamdscan' option largely eliminates any sort of version dependency [build-time or run-time] between DansGuardian and ClamAV. It interfaces with the interprocess named pipe socket provided by the current version of ClamAV, and has no special requirements or restrictions.
-The old 'clamav' runtime option is present mainly for historical reasons (it may not even work at all with some recent versions of ClamAV); the old 'clamav' runtime option is effectively deprecated. The <color #351><nowiki>--enable-clamav</nowiki></color> build option is __//not//__ necessary. Most builds should use only the <color #351><nowiki>--enable-clamd</nowiki></color> option. (In fact in some situations the unnecessary presence of <color #351><nowiki>--enable-clamav</nowiki></color> can cause DansGuardian to emit a weird error message about a ClamAV library version mismatch, then refuse to start up.  Executables without the old 'clamav' build option will not experience this problem.) +The old 'clamav' runtime option remains present mainly for historical reasons (it may not even work at all any more with recent versions of ClamAV); the old 'clamav' runtime option is effectively deprecated. The <color #351><nowiki>--enable-clamav</nowiki></color> build option should __//not//__ be specified (it's not necessary, and probably won't even work any more). Most builds should use __//only//__ the <color #351><nowiki>--enable-clamd</nowiki></color> option. (In fact the unnecessary presence of build/configure option <color #351><nowiki>--enable-clamav</nowiki></color> will probably cause DansGuardian to emit a weird error message about a ClamAV library version mismatch, for example 
 +<code> 
 +dansguardian: error while loading shared libraries: libclamav.so.5: cannot open 
 +shared object file: No such file or directory 
 +</code> 
 +then refuse to start up, even if 'clamav' is not being used and so is not configured in dansguardian.conf.  Executables //without// the old 'clamav' build option will not experience this problem.)
-**//Installation#22b. The clamdscan option says //!!Not Compiled!!//, but the clamav option is present. Can I use the clamav option instead? If not, what should I do?//** \\ Technically, you could probably make <color #351>clamav</color> work in many cases. But it's not exactly the same, does not work in all situations, can be more difficult to install and maintain, and is not recommended.+**//Installation#22b. On my system the 'clamdscan' option in dansguardian.conf says //!!Not Compiled!!//, but the 'clamav' option is present. Can I use the 'clamav' option instead? If not, what should I do?//** \\ The 'clamav' option is not exactly the same, probably will not work at all with more recent releases of ClamAV, unneccessarily introduces an overly tight version dependency, can be difficult to install and maintain, and for all these reasons is not recommended.
Instead, do one or more of the following: Instead, do one or more of the following:
-  * complain to your distribution about their DansGuardian package having been built inappropriately+  * complain to your distribution about their DansGuardian package having been built inappropriately (builds should use //only// ./configure option <color #351>--enable-clamd</color>, //not// <color #351>--enable-clamav</color> too)
  * obtain a more appropriate (and later?) DansGuardian package for your distribution from an "unofficial" repository (most distributions have one or more)   * obtain a more appropriate (and later?) DansGuardian package for your distribution from an "unofficial" repository (most distributions have one or more)
-  * rebuild DansGuardian from source, adding <color #351>--enable-clamd</color> (rather than <color #351>--enable-clamav</color>) to its configuration (see Installation#24b for rebuilding "almost" the same)+  * rebuild DansGuardian from source, adding <color #351>--enable-clamd</color> to (and removing <color #351>--enable-clamav</color> from) its configuration (see Installation#24b for rebuilding "almost" the same)
-  * forego the use of an Anti-Virus with DansGuardian+  * forego entirely the use of an Anti-Virus with DansGuardian
-//**Installation#23. My system already runs the clam daemon. Can I just use the existing clam installation?**// \\ Yes, that's what <color #351>clamdscan</color> does, communicate with a clam daemon through the named pipe socket it provided.+//**Installation#23. My system already runs the clam daemon. Can I just use the existing clam installation?**// \\ Yes, that's what <color #351>clamdscan</color> does, communicate with a clam daemon through the named pipe socket it provides.
-//**Installation#23b. I tried to enable clamdscan, but it just says "Could not perform virus scan!" What should I do?**// \\ Back up. Debugging clamdscan through DansGuardian is usually needlessly difficult and is seldom necessary. It will work much better to debug clamdscan directly. +//**Installation#23b. I tried to enable clamdscan, but it just says "Could not perform virus scan!" What should I do?**// \\ Start by backing out of your hole. Debugging clamdscan through DansGuardian is usually needlessly difficult and is seldom necessary. It will work much better to debug clamdscan directly.
At a shell prompt you should be able to execute <color #351>clamdscan\ [filename]</color> and get a few lines of output --including an OK and a SCAN\ SUMMARY. Until this direct use of clamdscan works correctly for you, don't even bother trying to use it through DansGuardian. If you have problems, you may find the ClamAV log (follow <color #351>LogFile</color> from /etc/clamd.conf), the ClamAV options related to debugging (probably <color #351>LogClean</color> and <color #351>Debug</color>), and the ClamAV documentation helpful. At a shell prompt you should be able to execute <color #351>clamdscan\ [filename]</color> and get a few lines of output --including an OK and a SCAN\ SUMMARY. Until this direct use of clamdscan works correctly for you, don't even bother trying to use it through DansGuardian. If you have problems, you may find the ClamAV log (follow <color #351>LogFile</color> from /etc/clamd.conf), the ClamAV options related to debugging (probably <color #351>LogClean</color> and <color #351>Debug</color>), and the ClamAV documentation helpful.
Line 789: Line 806:
**//Installation#32. When I try to extract the "relevant" log entries, many of them don't contain the domain name that appears in the browser's address bar. Can I just assume these log entries are extra, and ignore them?//** \\ __No__! What appears in a browser as just one webpage is almost always composed internally of many parts, and each part generates a separate log entry. As only the browser knows what the "base page" is, the domain name in the browser's address bar won't appear anywhere in many of the relevant DansGuardian log entries (even though they're all really part of the same webpage). Often it's a problem with one of these parts from some other site that causes a base webpage to display incorrectly. To be effective, your troubleshooting must attend to these seemingly extraneous parts too. **//Installation#32. When I try to extract the "relevant" log entries, many of them don't contain the domain name that appears in the browser's address bar. Can I just assume these log entries are extra, and ignore them?//** \\ __No__! What appears in a browser as just one webpage is almost always composed internally of many parts, and each part generates a separate log entry. As only the browser knows what the "base page" is, the domain name in the browser's address bar won't appear anywhere in many of the relevant DansGuardian log entries (even though they're all really part of the same webpage). Often it's a problem with one of these parts from some other site that causes a base webpage to display incorrectly. To be effective, your troubleshooting must attend to these seemingly extraneous parts too.
 +
 +**//Installation#33. Phrases containing accented/special characters appear to never match against web pages using the UTF-8 encoding (even though I've taken care to correctly allow for both language and encoding). What else can I try?//** \\ If your phrases include accented/special characters and web pages you typically access use the UTF-8 encoding, you //might// need to either specify a Latin1-style character encoding for the environment of the DansGuardian process itself, or specify //preservecase=2// in //dansguardian.conf//. (Although it's difficult to make much sense of this, experience indicates these changes do solve the possible problem.)
 +
==== Configuration/Usage FAQ ==== ==== Configuration/Usage FAQ ====
Line 914: Line 934:
**//Usage#12b. Should I treat adjustments I have to make to the DansGuardian configuration as "bugs"?//** \\ Not usually. The DansGuardian "default" configuration is __not__ a fixed canned configuration (it's more of a "starting point"). Some tweaking of the DansGuardian "default" configuration to better match your local usage patterns and policies is expected. **//Usage#12b. Should I treat adjustments I have to make to the DansGuardian configuration as "bugs"?//** \\ Not usually. The DansGuardian "default" configuration is __not__ a fixed canned configuration (it's more of a "starting point"). Some tweaking of the DansGuardian "default" configuration to better match your local usage patterns and policies is expected.
-**//Usage#13. DansGuardian doesn't work the way I want it to on my IPCop system.//** \\ Although the Cop+ that runs on the IPCop distribution is derived from DansGuardian+**//Usage#13. DansGuardian doesn't work the way I want it to on my IPCop system.//** \\ The Cop+ Web interface that controls DansGuardian gives you limited ability to edit Dansguardian Configuration files. The configuration files are all in /etc/dansguardian/ and subdirectories. You can edit the configuration files directly with vi from the command line or using WinSCP from a windows workstation. **Care Must be taken to keep the files owned by "nobody" or the Web interface will not be able to edit them anymore.** 
-the configuration tools are specific to Cop+ and are quite different from those used by vanilla DansGuardian.  +For help with Cop+, try [[http://home.earthlink.net/~copplus/dghelp.html]].
-For help with Cop+, try [[http://copfilter.endlich-mail.de/]].+
**//Usage#14. DansGuardian doesn't work the way I want it to on my SmoothWall Express or SmoothWall system.//** \\ For help with the homebrew DansGuardian package for SmoothWall Express, **//Usage#14. DansGuardian doesn't work the way I want it to on my SmoothWall Express or SmoothWall system.//** \\ For help with the homebrew DansGuardian package for SmoothWall Express,