Category Archives: Article

Installing RouterOS on WatchGuard Firebox x1250e – With Hardware Mods!

When I set out to find a budget 1u rack mounted Firewall to install RouterOS on, I discovered the WatchGuard Firebox. I have zero experience using Watchguard products, but I discovered there is quite a following for this hardware platform and discussion on pfSense related websites, blogs and forums discussing various methods of modifying these Firebox units, including manipulating the bios, adding vga outputs, keyboard inputs, and hard disks, I figured this looks like fun, so what the heck. I ordered a Watchguard Firebox x1250e off ebay for around $100. The good news is that you wont need to haggle with any of that nonsense the pfSense crowd has to deal with, in order to get this working.

I googled around a bit to find out as much as I could about the procedures and if anybody else had any success at doing what I was about to attempt. I could find very little related to Mikrotik RouterOS being installed on WatchGuard Firebox units. Besides a few posts from a decade ago on Mikrotiks forums about a few guys who got it to work back in the day, there was nothing. Which is precisely why I am writing this article, so that the next person whos googling, will find this article and know, that the answer is YES, you can do it, and YES its very easy.


The unit arrived with a bad power supply, which I had to order a replacement for, but once I had the replacement power supply installed, I quickly got the unit up and began testing it. I wasnt able to login to the web interface due to some custom configuration the previous owner had done, not even after performing a factory reset of it, following the procedures on Watchguards website for factory reset, the damn thing still had somebodies configuration loading, presumably from a configuration somewhere on the cf card.

So, I simply loaded up Mikrotik’s Netinstall software from within Windows and installed RouterOS directly to the stock 512mb CF Card that shipped with the Firebox x1250e.

I placed the CF card which now had RouterOS on it, back into the Firebox x1250, turning it on, and I waited a bit, the unit seemed to not be doing anything, I began to become concerned, but then I observed the hard disk LED indicator light on the front of the Firebox x1250e unit was pegged solid, but it would flicker occasionally, indicating to me that the magic was happening.

I decided to remain patient, and leave it alone, and Im glad that I did. After waiting about 10 minutes in total, and hearing a system beep at the end of each boot up, I concluded that it took about 2-4 reboots for RouterOS to configure itself before it was finished installing and setting up. ( It boots REALLY fast after completing the install as a matter of fact.)

RouterOS x86 finally installed on my unmodified Watchguard Firebox x1250e. I then proceeded to install the optional LCD software package which can be downloaded from RouterOS.com And after tinkering around a bit, I discovered there is a selection of different LCD types from within the LCD Package menu, the vitek-vc2025-2 was the option that worked for the x1250e unit that I had. It just worked, like a charm. Good job Mikrotik!

Next, I purchased an x86 Level 4 RouterOS license from Roc-Noc and I am extremely happy with the outcome. And just a heads up to new customers, you will need to wait a while for RocNoc to email you your license, but dont worry, they will, and if you are impatient like me, just email them, a rep will send you your license relatively quickly.

Next, I proceeded to setup firewall rules and schedule the automatic DNS Ads and Malicious blacklist updates from Squidblacklist.org. I have also decided to order a replacedment LCD to upgrade the ugly yellow display.

DNS filtering with Firebox x1250e & Mikrotik RouterOS:

DNS Blacklisting is a snap with blacklists from Squidblacklist.org
DNS Blacklisting is a snap with blacklists from Squidblacklist.org

As you can see in the image above, I have easily imported three DNS blacklists from Squidblacklist.org so that I can filter some unwanted content. I selected three categories, Ads, Malicious, and “CP”. Over 107,643 domain names are now blacklisted in our DNS server and will not resolve.

The impact of this many entries is that we now have consumed approx 600mb of system memory, and minimal hd or cpu usage. DNS Response times are as fast as they can be, and the system performance is rock solid. I have scheduled daily updates for these blacklists as well, using system scheduler.

Booting the Router is considerably longer, due primarily to the poor io bandwidth of the CF card while the OS loads up the DNS server with thousands of static entries. Once it is up and running however, its done. After the RouterOS boots completely, there is a 5 minute additional waiting period of heavy cpu usage befoe the DNS server will begin responding to DNS Queries. I recommend installing a mini PCI-e SSD, the same type found in laptops. This would most certainly alleviate the issue with the CF card read/write IO.


April 3 2017: Upgrades arrive.

Memory And Cpu Upgrades For Fireboxx1250e

Ok so the above mentioned parts are here. I was eager to update the blog post, however, I still have to wait until after midnight after everybody goes to sleep before I interrupt service to pull the unit out of the rack and get the Firebox x1250e upgraded. Otherwise I will never hear the endless complaints about the outtage.

2x 1GB DDR2 6400
x1250e Memory Upgrade – 2x 1GB DDR2 6400

Installing the memory should be a snap, I suspect the unit may support larger modules, I will test a single 2gb module I happen to have here in the lab during the procedure, if it works, I will order a second matching stick and get the unit maxed at 4GB. But the documentation says the unit only supports a maximum of 1gb per slot, which I doubt is accurate. Theres only one way to find out. (Ill edit this section of the article after I find out.)

Update: Maximum Memory Determined.
I have tested two 2GB sticks of DDR2 PC-6400 in the Firebox x1250e, and I have concluded that the maximum installable memory in the Firebox model x1250e to be 2GB. Which is a bit annoying because the unit does post up with a single 2GB stick in either slot, but when I tried to place both sticks in at the same time, the unit simply wouldnt post at all. So I decided to reinstall both 1GB sticks and Im actually satisfied with that, for my own use as a gateway, Im not even consuming half of that yet.

Firebox x1250e CPU Upgrade - Pentium M 780 SL7VB
Firebox x1250e CPU Upgrade – Pentium M 780 SL7VB

It seemed like it took forever to get the cpu from Shenzhen China. But its here, a Pentium M 780 2.26ghz/2M/533. No speed demon by todays standards, but its certainly twice as much cpu power as the 1.3ghz Celeron that shipped with the unit and will effectively max the cpu out. There is no faster cpu made for this hardware architecture without getting into some insane overclocking voodoo.


Upgrading the Firebox x1250e CPU:
Firebox x1250e CPU Jumpers
Firebox x1250e CPU Jumpers

There are some jumpers on the motherboard which must be switched. It is clearly indicated on the motherboard which dip switches must be flipped for a Dothan or a Banias core cpu. Now the Celeron that shipped with the unit is a Banias core, and the Pentium M 780 is a Dothan core. So, I set the switches appropriately as indicted on the diagram and booted up, eagerly anticipating 2.2ghz.

Cpu isnt running at full speed.
Cpu isnt running at full speed.

Problems with the Pentium M 780
RouterOS reports that the Pentium M 780 cpu is running at 1700mhz, when it should be at running at its rated speed of 2.26ghz. So I scratched my head, and I thought for a moment and got to work. I shut down the unit and began playing around with the dip switches to see if I could get it to post up at the right speeds with some sort of magical, undocumented combination of dip switch settins, like we old timers used to do back in the socket 7 era with Pentium and K6 chips.

After exhausting every possible combination of dip switch settings, I determined that I could not, and after a dozen frustrating reboots, exhausting every possible combination of different dip settings, and waiting each time. I finally just set it as directed on the motherboard diagram for a Dothan core, put it back in the rack and fired it up. This Firebox x1250e was apparently going to run at 1700mhz whether I liked it or not.

I can only assume one of two possibilities. This motherboard may not support the 533fsb of the Pentium M 780 and the guy who discussed using a 533fsb cpu upgrade in this unit on the pfsense forum was full of crap. It is entirely possible that the BIOS needs to be updated because it simply doesnt have the microcodes for this cpu, and it just doesnt know what to do with it. The Pentium M 780 has a 17x multiplier, and that would explain why its running at 1700mhz(Quad Rate DDR 4x 100mhz x 17 Multiplier = 1700mhz).

Upgrading the BIOS on this mainboard isnt going to be as simple as it would be it it were a desktop motherboard. So I am going to abandon the Pentium M 780 and insteadm, Im going to order another cpu, one with a 400mhz fsb. The new cpu should be cheap and easy to find. The fastest 400mhz bus Pentium M made, according to this chart on wikipedia, is a Pentium M 765 (SL7UZ or SL7V3) 2.1GHz/2MB/400. And I just purchased the Pentium M 760, which was a mistake because it too is a 533mhz part. I have ordered a third cpu, a Pentium M 755 which is indeed, a 2.0ghz/2mb/400mhz part, which should arrive next week some time, Ill update the blog as soon as I have it installed.

CF Card IO Performance
The IO bandwidth of the CF card that ships with the Firebox x1250e is rather limiting, which isnt much of an issue if you are just using it as a router, until you begin working with large blacklists or other large data files, so one might imagine that the Firebox x1250e could perform quite a bit smoother using an SSD rather than a CF Card.

x1250e has a 4x pci-e slot
x1250e has a 4x pci-e slot

Fortunately, there appears to be a normal looking 4x pci-e slot near the CF Card slot, within which, we should be able to have an SSD installed.I have no doubt that the system would be more snappy, reliable, faster to boot, and especially our specific deployment, the x1250e would load blacklists considerably faster with an SSD installed.

In 2017 I imagine it should be relatively easy to locate, obtain, and install a ribbon extension for the Pci-e slot, and add a small SSD for next to nothing, with relative ease and a little creative placement of the hardware, I look forward to performing this modification in the future and will update this blog post as soon as I have some related content.

Audio Anomaly:
This is a bit trivial, but noteworthy none the less, an amusing script that produces a ‘Star Wars Imperial March’ jingle from the system speaker doesnt sound like it should on an actual Mikrotik Routerboard. It does play. But it doesnt sound quite right at all.

LCD has Arrived:

Firebox-x1250e-LCD-mod
A New Firebox x1250e LCD Upgrade

Ok so the replacement ‘5V 20×2 Character LCD Module’ has arrived.

Just got done soldering in the replacement LCD and I wasnt sure what to expect, but after a few seconds, as you can see it went well.


And a dark shot showing the glorious end product safely running in production under lock and key.

To be continued….

Want to filter unwanted websites with a WatchGuard Firebox or a RouterOS Device?


Subscribe and download all of our blacklists.

Flat rate subscription. For full access to all of our works, select a membership option & subscribe today.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Something smells funny at urlblacklist.com

Competition is great, it drives innovation and gives companies the incentive to improve and the drive needed to continue to improve services and products. And in the spirit of competition sometimes a little dirt gets slung. But it isn’t only serving our personal interests to outline the failures of one of our competitors today. In this case, I believe that it is in fact doing the public a service. And by this I mean spreading awareness, to warn unsuspecting customers of what they are spending their money on, and of course, to convince you. with a little sound reasoning, to purchase our services instead of the competition.

There aren’t many suppliers of domain blacklist data for web filtering platforms and applications, this is one of the primary motivating reasons why we created Squidblacklist.org in 2012. We knew it could be done better. There are however a small handful of other providers remaining. One of these websites is urlblacklist.com, and it is them whom we have chosen to single out for scrutiny in this blog post.

In summary, Urlblacklist.com is a horrible service provider. One whos website was recently down for over 3 months in the 2016 calendar year. As a provider of services to paying clients, this is simply a disgrace. We have been monitoring urlblacklist.com, watched multiple outages, and we know that their domain name changed hands recently, something they did not announce on their website, so we will do it for them, here.

The website urlblacklist.com was down for nearly an entire month in October 2016. Then, a second outage occured that lasted nearly 2 months, beginning on or around Nov 10, lasting through until Dec 30, 2016. Further scrutiny reveals that in Nov of 2016, the owner of urlblacklist.com irresponsibly allowed his domain name to expire, which resulted in another 2 month long outage, in which another company took the opportunity to purchase the domain name, which is now registered under an entity named “Dr Guardian” who one can only assume has taken ownership and reopened the website, and is actively processing payments by unsuspecting customers.

They also do not make any mention of ownership changing hands anywhere on their website, a courtesy any respectable business would extend to its existing clients and the general public. Instead of even acknowledging the domain name ownership change. they choose to deceptively place blame for the outage on a billing issue with their registrar.

And I doubt if anybody knows who is really even operating the website. The owner has never responded to emails, doesn’t seem too care if his website goes down until months later, and I suggest that you should seriously consider switching to Squidblacklist.org if you are a current urlblacklist.com subscriber.

A brief visit to urlblacklist.com shows that the owner would like you to believe the second extended outage of 2016 was brief, a deception which is evident in a recent “news” message claiming that “over Christmas vacation” there was an outage, I guess Christmas vacation begins around Nov 10 and ends December 30th.

One can safely assume by looking at the ancient and truly aweful web design of urlblacklist.com and then research its track record of unreliability, and make some general conclusions about its owner and or operators which are to say, generally not favorable at all. And this lack of integrity can also be found in the quality of their blacklists, or lack thereof, which is of course, what really matters.

Urlblacklist.com is an aging website. I would encourage you to use their lists, and monitor the daily changes, you will know first hand that nearly 60% of the domains in their blacklists do not even resolve, a good indicator that there is very poor technology behind the update processes going on behind the scenes. It becomes clear rather quickly that they are pushing old, recycled domain data by systematically removing a set number of domains and re-adding them back using some crude scripts or something, rotating this data in and out in a way which gives the customer the illusion that updates are taking place.

With manual additions and removals being performed occasionally presumably by human hands. Beyond this however, there is obviously zero innovation taking place at urlblacklist.com. Which is evidently ran by an incompetent individual who is doing the world a disservice by continuing to accept payments for what is, in our opinion, hardly passable even as a purely free service.

Shalla and any other websites referring people to this website are also guilty of doing the general public a disservice by linking to urlblacklist.com because clearly anybody who has actually observed or used the lists from these people should come to the same conclusions that we have, and that is urlblacklist.com is an unreliable provider of services that needs to go away.

Also make note that shady clones of urlblacklist.com are also in existence, these domains are registered by totally different owners.
http://schwela.com is one of them.


If you like what we are doing here and want to support our efforts, please consider subscribing to download all of our blacklists.

Flat rate subscription. For full access to all of our works, select a membership option & subscribe today.



Select Payment Option




Update: RouterOS and Large Static DNS Blacklists

We would like to extend a huge debt of gratitude for Mikrotik’s rapid and appropriate response to the issues we recently had related to a new updated version of RouterOS and changes that were made to the way the OS handles static DNS entries.

We were a bit surprised when we were forced to make changes to the format, and in doing so, had discovered that RouterOS needed some optimizations, which Mikrotik software engineers were happy to work with us, and roll out an update to RouterOS that optimizes the import speed of large blacklists on Mikrotik RouterOS.

They also were generous and advised us on how to appropriately eliminate an issue we were having with our dns blacklist format. I would like to thank the members of the Mikrotik public forum for help getting the regex format corrected.

Thank you all!


If you like what we are doing here and want to support our efforts, please consider subscribing to download all of our blacklists.

Flat rate subscription. For full access to all of our works, select a membership option & subscribe today.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Updates and Changes to Mikrotik RouterOS Blacklists

There have been some changes in the latest version of Mikrotik RouterOS, which meant we really had no choice but to make some minor changes, otherwise the old format simply would fail to work when you tried to load them into a current version of Mikrotik RouterOS ( version v6.37 or newer ).

It seems Mikrotik decided, for whatever reason, to change the way static dns entries are handled.

RouterOS DNS Static Entry Change - Side by Side Comparison
RouterOS DNS Static Entry Change – Side by Side Comparison

As you can see in the image above , the changes were significant enough to force us to make the changes, if you are havin any issues loading our blacklists then you should update to the latest version of RouterOS as soon as possible.

We also decided that it would be best to add a single line to the headers included in each blacklist, to remove old entries befoe loading the new ones. Of course any knowledgeable admin would know to do this, but we felt is was something that should already be included in the blacklists for your convenience.

NEW FORMAT:

# TiK-DNS-Ads: Blacklist compiled by SquidBlacklist.org 10-01-2016. -MADE IN USA-
:log info "tik dns ads blacklist script import started"
:local redirectIP "127.0.0.1"
/ip dns static remove [find comment="sbl ads"]
/ip dns static
add regexp="^(.*\\.)\?004\\.frnl\\.de\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?01s\\.net\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?01viral\\.com\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0427d7\\.se\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0702\\.de\$" address="$redirectIP" comment="sbl ads"
add regexp="^(.*\\.)\?0ca\\.net\$" address="$redirectIP" comment="sbl ads"

I hope this will help to clarify for those of you who are scratching your heads about the sudden changes.

Thank you for your support.

Signed,

Benjamin E. Nichols
http://www.squidblacklist.org


Blacklisting has Evolved. Subscribe Now!

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Competitor website urlblacklist.com down for over a week.

urlblacklist.com is down
urlblacklist.com not loading

Well we hate to kick sand in the face of a competitor when they are down, ( actually no, we love it ) but seriously, we have been receiving reports that they have been down for over a week now, and lets be honest, downtime is a sin, and an unforgivable one. Being a provider of critical web filtering services requires a high degree of commitment and entails a responsibility to those whom depend on you to continuously produce quality updates in a timely basis with nearly 100 percent uptime and adequate bandwidth to ensure that you provide your clients, subscribers, and members systems and applications with the level of reliability that is not only expected, but required in 2016 for such a service provider.

The good news is that we do know how to keep our website up and running, and now have available all of our blacklists compressed into a single archive, with identical directory structure for users of urlblacklist to switch to seemlessly. Squidblacklist.org is bringing to market an evolved blacklist generation method, enhanced filters and automated domain removal and addition tools, enforced whitewashing and more, multiple updates daily with bleeding edge malicious updates from multiple sources and partners, we are here to raise the standard and serve you with a higher class of blacklist, and of course, we know how to keep a webserver running.

Sign up today and find out why Fortune 500 Companies, US DoD, Governments, Universities, and Municipalities worldwide are all using blacklists from Squidblacklist.org to enhance a wide range of web filtering applications and platforms.


Blacklisting has Evolved. Subscribe Now!

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Case Study – Web Filtering & Blacklist Quality Put To The Test.

DSC00728
Web filtering is an important consideration for any enterprise – it is one of the best-known and most efficient front line defenses against hacker attacks and malicious software. One of Squidblacklist.org customers was using a solution from another vendor which had reached end of life and needed to be replaced.

The system had not been performing to the customer’s satisfaction – it had proven difficult to manage, was not cost-effective, and its limited reporting capacity required an additional application to fill in the gaps in its functionality.

The client carried out an independent evaluation and selected two blacklist providers for deployment on separate Internet links to test the varying degrees of effective filtering. Filtering policies were created based on group membership rather than individual user rules as in the previous installation, and were integrated into Active Directory.This allowed existing support staff to grant Internet access by moving users into relevant Active Directory groups rather than modifying the proxy server configuration.

Improved Web Filtering Performance

Not only did the new Blacklists from Squidblacklist.org enhance the effective application of these appliances and the performance of web filtering for the customer, they also identified a number of websites which had been previously been mistakenly blocked or likewise, websites that should have been block, not blocked at all. The client was thus able to advise the relevant organizations – which included their customers and partner organizations – that their web filtering solutions had been compromised by poor quality blacklists from websites like shalla “secure services” and urlblacklist. These issues were then easily resolved by converting to blacklists by Squidblacklist.org.

The enhanced blacklists also introduced Weaknetlabs Technology which combines the best of conventional tools with new intelligent identification algorithms. ADR automatically tracks and adds or removes different domains. More effectively producing higher class of blacklists, than first generation blacklists from other providers. It also removes the inherent weaknesses in using human-only classification to give you the most up-to-date URL blocking and control.

The customer has since found that this new setup meets their requirements to an infinitely higher degree than their previous setup.


Blacklisting has Evolved. Subscribe Now!

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Study – Internet Filters Block Many Useful Sites

Access_Denied_day_02

Teenagers who look to the Internet for health information as part of their “wired generation” birthright are blocked from many useful sites by antipornography filters that federal law requires in school and library computers, a new study has found.

The filtering programs tend to block references to sex and sex-related terms, like “safe sex,” “condoms,” “abortion,” “jock itch,” “gay” and “lesbian.” Although the software can be adjusted to allow access to most health-related Web sites, many schools and libraries ratchet up the software’s barriers to highest settings, the report said.

“A little bit of filtering is O.K., but more isn’t necessarily better,” said Vicky Rideout, vice president of the Henry J. Kaiser Family Foundation, which produced the report, to be published today in The Journal of the American Medical Association. “If they are set too high, they can be a serious obstacle to health information.”

The researchers found that filters set at the least restrictive level blocked an average of 1.4 percent of health sites; at the most restrictive level, filters blocked nearly 25 percent of health sites. The amount of pornography blocked, however, was fairly consistent: 87 percent at the least restrictive level, 91 percent at the most restrictive.

The programs blocked a much higher percentage of health sites devoted to safe-sex topics: 9 percent at the least restrictive level and 50 percent at the most restrictive. The blocked pages at high levels included The Journal of the American Medical Association’s site for women’s health and a page with online information from the Food and Drug Administration about clinical trials.

To the researchers, the results mean that a school or library that uses a less restrictive setting for Internet filters can lose very little of the protective effect of the filters, while minimizing the tendency of filters to block harmless and even valuable sites.

The report is the first major study of the effectiveness of filters to appear in a peer-reviewed scientific journal, and the first to look at the effectiveness of filters at various settings. Most previous studies have been produced by organizations with a strong point of view either favoring or opposing filters. The Kaiser Foundation is a nonprofit health research group. David Burt, an antipornography advocate who is a spokesman for the filtering company N2H2 , said he was pleased with the report, which he called “very thoughtful and well designed — they recognized it matters a lot how you configure a filter and set it up.”

But opponents of filtering requirements said the study showed the technology’s clumsiness.

“Filters are just fine for parents to use at home,” said Judith F. Krug, director of the Office for Intellectual Freedom at the American Library Association. “They are not appropriate for institutions that might be the only place where kids can get this information.”

“The importance of the First Amendment,” Ms. Krug said, “is that it provides us with the ability to govern ourselves, because it guarantees that you have the right to access information. The filters undercut that ability.”

Nancy Willard, an Oregon educator who has written student guides that emphasize personal responsibility in Internet surfing, called filtering a kind of censorship that, if performed by the schools directly, would be unconstitutional.

“These filtering companies are protecting all information about what they are blocking as confidential trade secrets,” Ms. Willard said. “This is nothing more than stealth censorship.”

The study was conducted for the foundation by University of Michigan researchers, who tested six leading Internet filtering programs. The researchers searched for information on 24 health topics, including breast cancer and birth control, and also for pornographic terms. They performed the tests at each of three settings. At the least restrictive setting, only pornography is supposed to be blocked; an intermediate setting also bars sites with nudity and other controversial material like illicit drugs. The most restrictive setting possible for each product may block sites in dozens of other categories.

The researchers then called 20 school districts and library systems around the United States to ask how they set their filters. Of the school systems, which teach a half million students over all, only one set its filters at the least restrictive level.

The issue of library filtering is making its way through the federal courts. Last month the Supreme Court agreed to hear a Bush administration defense of the Children’s Internet Protection Act, the federal law requiring schools and libraries to use filters on computers used by children or to lose technology money. A special panel of the United States Court of Appeals for the Third Circuit, in Philadelphia, struck down part of the law that applied to libraries as unconstitutional. Chief Judge Edward R. Becker wrote that filters were a “blunt instrument” for protecting children.

eenagers who look to the Internet for health information as part of their “wired generation” birthright are blocked from many useful sites by antipornography filters that federal law requires in school and library computers, a new study has found.

The filtering programs tend to block references to sex and sex-related terms, like “safe sex,” “condoms,” “abortion,” “jock itch,” “gay” and “lesbian.” Although the software can be adjusted to allow access to most health-related Web sites, many schools and libraries ratchet up the software’s barriers to highest settings, the report said.

“A little bit of filtering is O.K., but more isn’t necessarily better,” said Vicky Rideout, vice president of the Henry J. Kaiser Family Foundation, which produced the report, to be published today in The Journal of the American Medical Association. “If they are set too high, they can be a serious obstacle to health information.”

The researchers found that filters set at the least restrictive level blocked an average of 1.4 percent of health sites; at the most restrictive level, filters blocked nearly 25 percent of health sites. The amount of pornography blocked, however, was fairly consistent: 87 percent at the least restrictive level, 91 percent at the most restrictive.

The programs blocked a much higher percentage of health sites devoted to safe-sex topics: 9 percent at the least restrictive level and 50 percent at the most restrictive. The blocked pages at high levels included The Journal of the American Medical Association’s site for women’s health and a page with online information from the Food and Drug Administration about clinical trials.

To the researchers, the results mean that a school or library that uses a less restrictive setting for Internet filters can lose very little of the protective effect of the filters, while minimizing the tendency of filters to block harmless and even valuable sites.

The report is the first major study of the effectiveness of filters to appear in a peer-reviewed scientific journal, and the first to look at the effectiveness of filters at various settings. Most previous studies have been produced by organizations with a strong point of view either favoring or opposing filters. The Kaiser Foundation is a nonprofit health research group. David Burt, an antipornography advocate who is a spokesman for the filtering company N2H2 , said he was pleased with the report, which he called “very thoughtful and well designed — they recognized it matters a lot how you configure a filter and set it up.”

But opponents of filtering requirements said the study showed the technology’s clumsiness.

“Filters are just fine for parents to use at home,” said Judith F. Krug, director of the Office for Intellectual Freedom at the American Library Association. “They are not appropriate for institutions that might be the only place where kids can get this information.”

“The importance of the First Amendment,” Ms. Krug said, “is that it provides us with the ability to govern ourselves, because it guarantees that you have the right to access information. The filters undercut that ability.”

Nancy Willard, an Oregon educator who has written student guides that emphasize personal responsibility in Internet surfing, called filtering a kind of censorship that, if performed by the schools directly, would be unconstitutional.

“These filtering companies are protecting all information about what they are blocking as confidential trade secrets,” Ms. Willard said. “This is nothing more than stealth censorship.”

The study was conducted for the foundation by University of Michigan researchers, who tested six leading Internet filtering programs. The researchers searched for information on 24 health topics, including breast cancer and birth control, and also for pornographic terms. They performed the tests at each of three settings. At the least restrictive setting, only pornography is supposed to be blocked; an intermediate setting also bars sites with nudity and other controversial material like illicit drugs. The most restrictive setting possible for each product may block sites in dozens of other categories.

The researchers then called 20 school districts and library systems around the United States to ask how they set their filters. Of the school systems, which teach a half million students over all, only one set its filters at the least restrictive level.

The issue of library filtering is making its way through the federal courts. Last month the Supreme Court agreed to hear a Bush administration defense of the Children’s Internet Protection Act, the federal law requiring schools and libraries to use filters on computers used by children or to lose technology money. A special panel of the United States Court of Appeals for the Third Circuit, in Philadelphia, struck down part of the law that applied to libraries as unconstitutional. Chief Judge Edward R. Becker wrote that filters were a “blunt instrument” for protecting children.


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now vvailable.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.

Study – Web Filtering in Schools

slc_filtering_1

AASL Executive Summary

The American Association of School Librarians (AASL) conducted its national longitudinal survey, School Libraries Count!, between January 24 and March 4, 2012. The annual survey collected data on filtering in schools. Participants answered 14 questions ranging from whether or not their schools use filters, to the specific types of social media blocked at their schools.

This paper is an overview of the data that was collected. As the results show, filtering continues to be an important issue for most schools around the country. The data from School Libraries Count! suggests that many schools are going beyond the requirements set forth by the Federal Communications Commission (FCC) in its Child Internet Protection Act (CIPA).

AASL’s position views the social aspect of learning as important for students in the 21st century and much of the filtering software seems to discount that aspect.

Uses and Types of Filtering

When asked whether their schools or districts filter online content, 98% of the respondents said content is filtered. Specific types of filtering were also listed in the survey, encouraging respondents to check any filtering that applied at their schools. There were 4,299 responses with the following results:

94% (4,041) Use filtering software
87% (3,740) Have an acceptable use policy (AUP)
73% (3,138) Supervise the students while accessing the Internet
27% (1,174) Limit access to the Internet
8% (343) Allow student access to the Internet on a case-by-case basis

slc_filtering_2

The data indicates that the majority of respondents do use filtering software, but also work through an AUP with students, or supervise student use of online content individually.

The next question identified types of filtering software and asked respondents to select those used at their schools. There were 4,039 total responses. The top three filtering software was:

70% (2,827) URL-based
60% (2,423) Keyword-based
47% (1,898) Blacklists

Who and What Gets Filtered

When respondents were asked if content for students is filtered by their school or by the district, 100% of the 4,299 respondents answered “Yes.” Respondents also indicated that in 73% of schools, all students are filtered at the same level.

When asked if the filters affect both students and staff, 88% of 3,783 respondents said filters are used for staff, and 56% of 2,119 respondents said the same level of filtering is applied to students and staff alike.

The top four filtered content areas in schools surveyed include:

Social networking sites (88%)
IM/online chatting (74%)
Gaming (69%)
Video Services (66%)

Additional filtered content includes personal e-mail accounts, peer-peer file sharing and FTP sites. However when asked if they could request sites be unblocked, 92% of the 3,961 respondents indicated they could in the following ways:

27% (1,069) Have the site unblocked in a few hours
35% (1,386) Have the block removed in within one to two days
17% (673) Wait more than two days but less than a week
20% (792) Wait one week or more

The survey found that 68% of the decisions to unblock a site are made at the District level and only 17% of the decisions are made at the building level.
Bring Your Own Devices

slc_filtering_3

The School Libraries Count Survey! also asked which types of portable electronic devices students are allowed to bring to school. Respondents were able to select all that apply. The 4,299 responses revealed the following percentages for devices allowed:

E-readers (53%)
Cell phones (49%)
Laptops (39%)
MP3 Players (36%)
Netbooks (32%)

When students bring these items to school, 51% of 2,981 responses indicated there is a filter mechanism used for these devices.

When answering how students’ personal devices were filtered, the top five answers from 1,520 respondents were:

Through the use of the AUP (48%)
Logging on through the school network (47%)
Not having Internet connectivity (29%)
Using the discretion of the classroom teacher (28%)
Logging into a “guest” network (26%)

Impact of Filtering on Learning

The last filtering question discussed the impact that filtering has on the individual programs. Respondents were asked to select all that applied.

Of the 4,299 responses 52% indicated that filtering impedes student research when completing key word searches, 42% indicated that filtering discounts the social aspects of learning, and 25% stated that filtering impeded continued collaboration outside of person-to-person opportunities.

On the other hand, 50% indicated filtering decreased the number of potential distractions, 34% indicated filtering decreased the need for direct supervision, and 23% indicated that filtering allowed research curriculum to yield more appropriate results.

One trend revealed in the survey is that students are increasingly allowed to bring their own devices to school, but those devices are still subject to the filters. Many school librarians are reporting that true student research is being hindered by school filters, making this an issue that AASL will continue to address in the future.


Blacklists For Web Filtering Purposes.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now vvailable.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.

Using Squidguard and Pfsense to Url Filter with Domain Blacklists from Squidblacklist.org

Using Squidguard and Pfsense to Url Filter with Domain Blacklists.

pfsense Logo

URL filtering is one strategy used to filter access to websites based the domain name and/or url. There are several commercial products available for URL or domain content filtering, but you could easily build a very reliable system on your own using SquidGuard and pfSense. SquidGuard is a useful add on package for the Squid proxy server and can be used to filter or redirect web requests on the network.

SquidGuard has a long list of features that can be tailored to fit your needs. It’s also rather fast and does’nt slow down the internet for your clients. If you do need to block access to a list of unwanted websites or only allow access to a whitelist of specific web sites, SquidGuard can certainly assist with this.

SquidGuard is also very flexible, and it is easy to adapt to different applications. If you intend to do basic URL filtering on your home network or if you need to create some complicated rules for a large private or public network SquidGuard can do it.

Before you can put a web filtering proxy under pfSense into production, some configuraation is required. If you are new to pfSense I might recommend reading through the instructions that shit with pfSense.

Install the package SquidGuard Package

SquidGuard & Squid proxy can both be installed using the pfSense package manager. To access the pfSense package manager, click packs on the system menu. Select the tab available packages and scroll down where you will find SquidGuard and Squid proxy individually, click the plus sign next to each item to begin the installation.

Once the installations are complete you will have a new menu item called proxy services/filter.

Blacklists

To set up domain blacklist, open the general settings page ‘Filter Services & Proxy’. Click the checkbox to activate the domain blacklist.

You can use one of several different domain black lists publicly available on the web. You can also find a list of several blacklists from http://www.squidblacklist.org. We have our blacklists available in multiple formats, but likely, youll want the standard directory formatted archives located at the following url. http://www.squidblacklist.org/downloads/squidblacklists/squidblacklist.tar.gz


Subscribe Today – Paypal or Credit Card Accepted.

Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now available.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.


Excluding URL blacklist

There may be some places that you need to allow your users to access. To prevent these sites from locking can create a new category of destination and add a list of domains or URLs that should not be blocked.

To do this click the target categories tab, and then click the plus sign to add a new category. You must assign a unique name to the new category, the name you choose can not contain spaces.

The target category can filter by domain name, URL, or an expression. Add a domain site will grant access to the main site and all its sub-pages. Entering a URL allows access only to that exact website. Expressions allow you to grant based on certain keywords access.

When finished, click Save, and then back to the common ACL tab or group (wherever that created the rule) and select and action whitelist for your new category.

You can also use this same method to add additional sites to its blacklist.

Filtering by Expression

In addition to the domain and URL filtering SquidGuard can create filters using regular expressions. These types of filters are great when you want to search for specific text strings in a URL to make a decision for this search. If you are unfamiliar with regular expressions can be a bit confusing at first, but there are many online resources on the subject, so I will not go into much detail about them in this article.

To create a filter that uses an expression, click the target categories tab, or create a new category or edit an existing one. Enter the expression you want to filter in the expression box and then click Save. Then go back to the common or group ACL tab and select the action (deny, permit, etc.) for your target category.

Here are some examples of filter expressions are presented. These can be edited according to what to filter. For more useful information about filtering regular expressions http://www.squidguard.org/Doc/Examples review.

Downloads based on file extension block

(* \ /.* \ (Zip | .. Rar | exe | msi | mpeg | avi))

Block certain TLDs

(.gov | .xxx | Mil | .net)

Block search “bypass proxy” on Google and Yahoo

(.*(google|yahoo).*(search_query|keywords|search|query|q|p)=.*(\+|\%20)*(proxy|bypass).*(\-|\+|\%20).*(proxy|bypass).*)

Programming rules & Time-based rules

SquidGuard also allows you to apply URL filtering based on schedules. Times are useful for applying rules at different times during the day, or only on certain days of the week.

For example, you could apply URL filtering rules strict office hours and automatically disable the rules after 17:00. If you are filtering your home network you may not want the children to visit certain sites during the school week, this is another example in which a time-based rule would be used.

To create a rule-based time, click the time tab and then click the plus sign to create a new schedule. You can create as many different times as you need.

Schedules can be applied using the ACL Groups tab. Create a new ACL or edit an existing group, then click the “time” drop-down box select the schedule you created.

Do not forget to click Apply on the General tab for the settings to take effect.

Conclusion

Commercial Web filtering devices can be very expensive and difficult to handle. PfSense SquidGuard and are completely free and very powerful. SquidGuard offers many other features that are not covered in this center. For more detailed information, visit SquidGuard.org and check out the documentation section. Also be sure to check out some of my other centers to learn about more ways to use pfSense on your network.
Guidelines pfSense

pfSense Bandwidth – Setting Traffic Shaping
Heavy users wide band can slow the entire network. This center will show you how to use pfSense to set traffic shaping to prioritize Internet traffic.
Dual Wan Router – How to load balance with pfSense
Dual WAN Routers allow you to increase the bandwidth of the Internet on your network by combining two Internet connections. Using pfSense can turn an old computer into a powerful multi WAN router.
How to set up a transparent proxy using squid pfSense
Proxy servers can be very useful for improving the speed of an Internet connection by caching, log Internet usage, or filter traffic. Learn how to set up a transparent proxy using pfSense.

Should you consider investing in a Web Filter?

Should you consider investing in a Web Filter?


When you think of web filtering what is the first visual that comes to mind? For some it’s pop-ups and notifications to update my antivirus. Today’s web filtering capabilities have become more sophisticated, and so have the criminals attempting to infect systems.

According to one study, cybercrime costs have increased by 19 percent. Let’s break down three tips for protecting your business with web filtering.

1. Don’t be cheap with your security budget, invest in web filtering software

it_guy
Similar to purchasing insurance on your business, a solid web filter will provide additional security for your network. You should be shopping for software with keyword blocking, malware filtering, social media monitoring, redirects, P2P blocking, BYOD support, user notifications, 24/7 software support and custom acl or blacklist rules for fine tuning the sites that are blocked. Such as the blacklists offered by Squidblacklist.org.

You may also want to look into software that eliminates anonymous proxies or allows your organization to block specific sites related to gambling, gaming, streaming media or any site category that should not be accessed during work hours.

All of these features are limited when you use free web filtering services. To feel peace of mind, it’s important to put a little investment into your web filtering tools.

Additionally, the extra layer of coverage may prevent an internal, yet unintentional, threat to occur because your employee landed on a bad website. In fact, according to a study by Kansas State University, roughly 60 to 80 percent of employee time is spent surfing non-work related websites. Essentially the money you spend on your web filtering software could pay off tenfold in productivity if you limit some commonly surfed websites.

2. Make web filtering required for all employee devices

This may seem like an obvious statement but with today’s flex scheduling and mobility it’s easy for older devices to get overlooked. Consider using a web filtering tool that allows you to deploy updates across multiple platforms.

The best filters allow you to manage these devices through a central dashboard and make updates, or see traffic, on an as-needed basis. While we aren’t encouraging a Big Brother mentality, it’s good to know you can see the whole picture and focus on a problem before it becomes a threat.

Another great feature of this type of filtering tool is disaster recovery. If your web filtering platform is located in a cloud environment you can access your dashboard anytime, anywhere. For chief technology officers on the go, this is also a productivity plus in the event of a potential threat.

3. Understand content filtering basics.

You may not be an IT manager or CTO, but that doesn’t mean you should avoid learning how web filtering works. At its core, web filtering is established to screen incoming traffic from the web and determine whether it should be displayed – or blocked. It is also important to understand that web filters are not a replacement for quality antivirus and anti-malware software. While some web filters can block blacklisted malware domains and links, and others offer inline scanning for viruses and malware. Many of these malicious threats are transmitted via email or various other attack vectors, such as insider threats. Ultimately the threats are difficult to completely mitigate so investing in a robust solution is critical.

It’s important to understand some of the terminology useed in the first half of this article.

For example: blocking a redirect can prevent typo squatters from redirecting your search terms to unrelated sites that host malware. A typo squatter will change a URL from its known link to a similar URL that may have one additional letter (usually a consonant). Many users do not pay attention to the domain names in search results and are not as cautious as they should be when clicking links.

Another basic web filtering term is “anonymous proxies.” These are tools that facilitate anonymous traffic, making sources untraceable and can be, and are often used for the purpose of bypassing web filters. These proxies are typically used to mask malicious or otherwise criminal activity on the internet and block the location of a specific threat.

If you find that many of the terms mentioned in your web filtering research are too complicated we recommend using a google to do your homework. This helpful tool is also handy when you’re researching other IT security tools such as backup, antivirus, operation systems, and more.

So there is little question that you need a web filtering tool. Now that you are equipped with the resources and understanding to purchase an effective solution, we recommend that you act immediately on this mission. Your employees are landing on thousands of websites a day and the liability falls on the organization to protect your assets, your data, and your network. Ultimately it is your brand that could suffer from a security breach.

Strong categorized domain blacklists from Squidblacklist.org

A critical component of an effective content control strategy.


Flat rate subscription. Select a membership option & subscribe.



Select Payment Option



  • You will be issued a username and password.
  • You will be granted access to our member area.
  • 5 Year Membership Option now vvailable.
  • For lifetime membership options click here.clipart
  • Contact us if you would like a pre order invoice.

Disclaimer: All sales are final, we do not issue refunds. Cancel your subscription anytime.