Looking for suggestions for an internet content filteringappliance

khatfield at socllc.net khatfield at socllc.net
Mon Aug 23 19:46:59 UTC 2010

(Excuse me if I missed part of the email chain. This may have already been mentioned)

It could be a bit of an annoyance for configuration but the one method you could use is to force a proxy internally.

I am a bit unsure why most don't do this already but it has it's flaws.
1) Lack of static/dynamic IP's
2) More work for tracking
3) Management of additional infrastructure

However, you could force a proxy and run it inhouse, like squid or some other type.

This would give you some advantages:
1) Content caching - increasing speeds for users while decreasing your overall bandwidth utilization.
2) Increased security for filtering out malware/virii.

Now that is more of a sledgehammer approach and I am not sure I would highly recommend it.

A better solution which will not work for the more advanced users but it will likely work for the majority, which is to work with a provider like OpenDNS for your dns resolution. They have an easily configurable filtering system which you can apply to your users. This would allow you to block specific content and/or generalized content like (hardcore porn vs educational nudity)

This is a better approach. Otherwise, you are likely going to cause real issues with people doing homework or webmd searches, for example.

There is not a foolproof method when trying to blanket an entire provider but this would get you closer and it is likely going to be more accurate than keyword blocking/proxy blocking.

Best of luck.
-----Original Message-----
From: Jeroen Massar <jeroen at unfix.org>
Date: Mon, 23 Aug 2010 21:15:38 
To: <frnkblk at iname.com>
Cc: <nanog at nanog.org>
Subject: Re: Looking for suggestions for an internet content filtering

On 2010-08-23 20:52, Frank Bulk - iName.com wrote:
> We offer an optional internet content filtering service to our residential
> and business customers using M86's appliance
> (http://www.m86security.com/products/web_security/m86-web-filtering-reportin
> g-suite.asp).  
> I've been in conversation with them since Q1 regards IPv6 support, but the
> update I received today was that IPv6 support won't be available until
> middle to late next year.  That's not ideal, because the local college is a
> significant user and they started with IPv6 this summer.  College students
> can easily bypass content filtering by using the IPv6 version of the site
> (i.e. http://www.playboy.com.sixxs.org)

Emmm.. if they can use that to circumvent your filter don't you think
those same people won't be able to find out about other proxy servers,
it is not like the internet is not filled with them or anything.

Please note to yourself that you are fighting a lost cause as there are
more locations on the Internet that are annoying for the policy than you
can list, thus one of the very few ways to make it very hard to 'filter'
is to only allow approved sites, and with 'approve' I mean fetch the URL
on a controlled machine, scrub it and pass it back, as the moment
somebody can have a host on the outside and can send a few bits to it
and get an answer back they are outside, if you like it or not.

That said, there are loads of free HTTP proxies, anonymizers and other
such tools and most of them are not caught by your filtering toy anyway.

But indeed, it is a bad thing that they are unable to update their
little box to do IPv6, there really is not that much different there.

   (Who could block stuff on the above URL actually, but except for
    silly people trying to run torrents over it which does not work but
    which do hammer those boxes nothing gets blocked [CP is the except])

More information about the NANOG mailing list