How does one make an exception?

Asked by William Fishburne on 2011-08-24

I'd like to fully filter one account and have another with unfettered accessl. How do I do that?

It looks like I need to set up a second filter group in dangaurdian, but I'm not clear on whether that should be done within dangaurdian directly, or if it should be done through the gui. If it should be done through the gui, I'm wholly unclear how to set that up.

Question information

Language:
English Edit question
Status:
Solved
For:
WebContentControl Edit question
Assignee:
No assignee Edit question
Solved by:
William Fishburne
Solved:
2011-08-25
Last query:
2011-08-25
Last reply:
2011-08-25
KIAaze (zohn-joidberg) said : #1

It should be done within dansguardian directly.
The group things in the GUI are currently only for program execution control.
You can of course open the dansguardian files for editing using the GUI.

I am very busy at the moment, so I probably won't be able to help you that much, but this is a recurring question and I put up some links for it in the FAQ here:
http://ubuntuforums.org/showthread.php?t=843510

===
Is user-specific configuration possible?
Not yet. But you can do it manually.
It requires setting up some authentication method (so that dansguardian can identify the user).
I managed to do it using squid (webcontentcontrol uses tinyproxy instead):
http://tech.groups.yahoo.com/group/dansguardian/message/22651
See here for more info:
http://contentfilter.futuragts.com/wiki/doku.php?id=user_identification_methods
http://contentfilter.futuragts.com/wiki/doku.php?id=group_configuration
===

William Fishburne (bfishburne) said : #2

Thank you for your reply, I've found a way to do it.

In short, tinyproxy does not allow this (squid, which is a much more capable, complex proxy, but is not provided with or integrated with webcontentcontrol, can identify individual users. So, if you plan to use webcontentcontrol to manage a small network--this is nontrivial--then squid is probably a better choice). Dansguardian assumes that there is some method of identifying the user. Since the "parental control" is really intended to be run by a parent on a single computer (this is the only reason that tinyproxy makes ANY sense) and tinyproxy does not really have any method to authenticate a user, trying to configure this kind of thing within Dansguardian is impossible (you can ignore any documentation you may find about being able to do it because Dansguardian assumes that the proxy is going to resolve the user).

The way to do it is to create an exception in Firehol. Firehol is basically a way of keeping the IP Tables (in layman's terms this is the way that a computer figures out where to send data coming in over the network--the world wide web) persistent from one restart to another. By putting an entry in the Firehol configuration file (/etc/firehol/firehol.conf) it is possible to set up particular users who should not work through Dansguardian.

The exact line that needs to go into the firehol configuration file is rather long but not complicated. Suppose that you wanted to allow the user "dad" to bypass the entire filtering system. To do that you would insert the following in the firehol.conf file directly before the line that has "dansguardian" in it:

iptables -t nat -a OUTPUT -p tcp --dport 80 -m owner --uid-owner dad -j ACCEPT

Here is what that line means:

iptables -- This is a command that messes with the IP Tables in your computer
-t nat -- This switch says that the command refers to the current computer
-a OUTPUT -- This switch says that the command is going to mess with the OUTPUT subtable
-p tcp -- This switch says that the protocol involved is tcp (this is the standard messaging format on the internet)
--dport 80 -- This switch says that we are going to look at port 80, which is the port used by browsers like Firefox and Chrome
-m owner -- This switch says that we are going to look at the person who is running the browser
--uid-owner dad -- This switch says that we are concerned with the user "dad"
-j ACCEPT -- This switch says that anything this user does on this port should automatically move to the ACCEPT subtable

If I can find some time, I'll send you a patch to your application that allows someone to identify a user as "exempt" or "remove exempt" and calls a shell script to update firehol.conf.