From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Michael French" Subject: Re: iptables mangling rule Date: Sun, 1 Jun 2003 03:03:31 -0700 Sender: linux-admin-owner@vger.kernel.org Message-ID: <000b01c32825$0ecb95b0$0300a8c0@savvis.ad.savvis.net> References: <1054397900.5715.2.camel@localhost.localdomain> <16089.31596.53200.837683@cerise.nosuchdomain.co.uk> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: List-Id: Content-Type: text/plain; charset="us-ascii" To: linux-admin@vger.kernel.org Glen's right, it's almost impossible to filter out all of the "undesirable" content. Another issue to consider is the legal issue. By attempting to filter content, the school is accepting the responsibility of censoring and in doing so, can be held liable for what content does get through. Also, orginazations such as the ACLU have fought several of these cases in court against libraries for doing the same thing, stating that the libraries are going against the first amendment with such censorship. You might be setting up the school for legal action from the other side too. The best thing for a school to do is to have a strict usage policy that is clearly posted and to have the computers in publicly viewable location. I am not a lawyer, but just wanted to insert my $0.02. Googling the subject might help, here is one link: http://lrs.ed.uiuc.edu/wp/censorship/filtering/individual.htm Michael French ----- Original Message ----- From: "Glynn Clements" To: Cc: Sent: Saturday, May 31, 2003 9:05 PM Subject: Re: iptables mangling rule > > David Eduardo Gomez Noguera wrote: > > > In a school, they want to set up a firewall that should filter pornsites > > and the like. > > Anyone can give me a hand there? > > > > The solution I thought about was setting up a proxy, and using the proxy > > to filter some sites. > > However, I couldt think how to use iptables to force every connection to > > with destination port 80 to go to the proxy. > > You can run an HTTP server on any port, not just port 80. Servers > whose content is particularly likely to be blocked often run on ports > other than 80. > > If you want filtering to be effective, you have to block all direct > connections, so that everything has to go through an application-layer > proxy. > > Even then, content-based filtering is notoriously unreliable. Not only > will a substantial proportion of "undesirable" sites still be > accessible, you will also end up blocking a significant number of > legitimate sites. > > -- > Glynn Clements > - > To unsubscribe from this list: send the line "unsubscribe linux-admin" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html >