Setting up Dansguardian

  1. Install the squid and dansguardian packages.

apt-get install dansguardian squid
  1. Edit /etc/dansguardian/dansguardian.conf file and remove the line that says "UNCONFIGURED".
  2. Start the dansguardian daemon.
  3. Make sure any shorewall rules allow connections from your local network to your firewall's port 8080.
  4. Open up your client's browser and go to the proxy settings page:
  5. Mozilla Firefox (edit -> preferences -> "Advanced" tab -> "Network" Tab > "Settings" button)

  6. Internet Explorer (tools -> options -> ......)

Now, set it to manual proxy, with all protocols the same proxy. In the appropriate box, type the firewall's IP address. If it is on the same machine, use (localhost). Then, type 8080 in the port box.

  1. Try to connect to to verify you can still connect to the internet.
  2. Finally, check that the filter is working by checking that the network traffic is being logged. Open the file /var/log/dansguardian/access.log.

cat /var/log/dansguardian/access.log
  1. Also, try going to known Windows attack sites such as or After ignoring a warning in firefox, the page should fail to load with the error "The requested URL could not be retrieved"

There should be an entry there saying If the file doesn't exist, something isn't set up right.

By default, Dansguardian will filter at an elementary school level for any web traffic requested from it. You can also configure the files /etc/dansguardian/dansguardian.conf and /etc/dansguardian/dansguardianf1.conf to better suit your needs.

Making It All Transparent:


  1. Find the following lines in your /etc/squid/squid.conf file:
    1. Around line 2185, find:

#httpd_accel_port 80

httpd_accel_host virtual
httpd_accel_port 80
  1. Around line 2215, find:

#httpd_accel_with_proxy off

httpd_accel_with_proxy on
  1. Around line 2235, find:

#httpd_accel_uses_host_header off

httpd_accel_uses_host_header on
  1. Restart your the squid daemon.
  2. Add the following lines to shorewall's /etc/shorewall/rules file:

REDIRECT  loc        8080     tcp      www
  1. Restart the shorewall daemon to have the new rule take effect.
  2. As above, check that dansguardian is working

CategoryNetwork CategorySoftware