Gentoo Wiki


This article is still a Stub. You can help Gentoo-Wiki by expanding it.

Please format this article according to the guidelines and Wikification suggestions, then remove this notice {{Wikify}} from the article



DansGuardian is a content based Web site filter. It allows you to monitor the Web sites your users visit, or block access to Web sites that you deem inappropriate.

This article will walk you through the installation and configuration process of DansGuardian.

How does it work?

A user agent, or browser, sends a request to a server and that server responds with the requested data, provided that it's a valid request. DansGuardian becomes the man-in-the-middle. So, the request is now sent by the user agent to a proxy, the proxy fetches the page, and DansGuardian checks the content to see if it matches any of the rules you have set up. If it does not match a rule, it gets sent along to the user agent.

DansGuardian is not a proxy itself. Instead, it relies on an external daemon to handle the process of fetching pages. DansGuardian is programmed with the intention of utilizing Squid as the proxy, but other proxy servers may be used instead. You will find on their Web site that it mentions Oops! is also compatible. They also mention that any HTTP and/or proxy daemon should work as well.


This part is easy thanks to the Gentoo way of doing things. This guide will use Squid because it is the proxy recommended by the developers of DansGuardian. As mentioned before, however, you should be able to use any proxy you wish.

# emerge -av squid dansguardian

Also, you will probably want DansGuardian and Squid to start at boot. You should do this now so you do not forget about it.

 # rc-update add squid default
 # rc-update add dansguardian default



Configuring Squid is outside the scope of this article. However, there is a separate article that details out the process: HOWTO Setup a Home Server - Squid

The default for DansGuardian to listen on is 8080 and the default for squid is 3128

So the sequence is

if the LAN has address 192.168.0.x then you need an ACL in the squid configuration like this

File: /etc/squid/squid.conf
 acl our_networks src
 http_access allow our_networks
 http_access allow localhost

if you want transparent proxying (ie shorewall or your firewall does it and you dont have to go around configuring each client browser separately then add transparent to the line


and add the redirect to the shorewall rules file, and then restart shorewall

File: /etc/shorewall/rules
REDIRECT        loc     8080    tcp     www

For iptables this would be

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

The REDIRECT is important (instead of for example DNAT), if you want to log source IPs (then you should also set anonymizelogs = off in /etc/dansguardian/dansguardian.conf).

File: /etc/squid/squid.conf
http_port transparent
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY
acl apache rep_header Server ^Apache
broken_vary_encoding allow apache
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern .               0       20%     4320
acl all src
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl Safe_ports port 901         # SWAT
acl purge method PURGE
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src
http_access allow our_networks
http_access allow localhost
http_reply_access allow all
icp_access allow all
forwarded_for off
coredump_dir /var/cache/squid

File: /etc/dansguardian/dansguardian.conf
reportinglevel = 3
languagedir = '/etc/dansguardian/languages'
language = 'ukenglish'
loglevel = 3
logexceptionhits = on
logfileformat = 1
filterip =
filterport = 8080
proxyip =
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/'
nonstandarddelimiter = on
usecustombannedimage = 1
custombannedimagefile = '/etc/dansguardian/transparent1x1.gif'
filtergroups = 1
filtergroupslist = '/etc/dansguardian/filtergroupslist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 1000
urlcacheage = 900
phrasefiltermode = 2
preservecase = 0
hexdecodecontent = 0
forcequicksearch = 0
reverseaddresslookups = off
reverseclientiplookups = off
createlistcachefiles = on
maxuploadsize = -1
maxcontentfiltersize = 256
usernameidmethodproxyauth = on
usernameidmethodntlm = off # **NOT IMPLEMENTED**
usernameidmethodident = off
preemptivebanning = on
forwardedfor = on
usexforwardedfor = off
logconnectionhandlingerrors = on
maxchildren = 120
minchildren = 8
minsparechildren = 4
preforkchildren = 6
maxsparechildren = 32
maxagechildren = 500
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
nodaemon = off
nologger = off
softrestart = off

To test the setup log into your server and then watch the log files whilst your client access webpages


tail -f /var/log/dansguardian/access.log
tail -f /var/log/squid.access.log

If you get this sort of thing tailing the dansguardian/access.log

Code: tail -f /var/log/dansguardian/access.log
2007.8.26 15:23:52 -  GET 8656
2007.8.26 15:23:54 -  GET 10453
2007.8.26 15:23:55 -  GET 9461
2007.8.26 15:24:11 -  CONNECT 1417
2007.8.26 15:24:14 -  CONNECT 1409
2007.8.26 15:24:21 -  CONNECT 1417
2007.8.26 15:24:28 -  CONNECT 1415
2007.8.26 15:24:40 -  GET 2333
2007.8.26 15:24:49 -  GET 5335
2007.8.26 15:24:56 -  GET 2084

then you need to block internet access to the ports you have DG (and squid) running on

File: /etc/shorewall/rules
DROP            net     $FW             tcp     8080
DROP            net     $FW             tcp     3128

to make the requesting IP address appear in the Squid logs you need to add follow_x_forwarded_for in both programs.

File: /etc/dansguardian/dansguardian.conf

Forwardedfor = onUsexforwardedfor = on

File: /etc/squid/squid.conf

Acl_uses_indirect_client onFollow_x_forwarded_for allow all

White Listing

If you want to ban everything except a particular list, then uncomment the "blanket block" line in the bannedsitelist - i.e. put "**" on a line, on its own, without quotes. Then, list the sites you want to allow in either the greysitelist, if you want content filtering to happen, or the exceptionsitelist if you just want it to be always allowed.

Retrieved from ""

Last modified: Mon, 08 Sep 2008 05:15:00 +0000 Hits: 7,421