Metronet No nonsense Broadband. Straight up.  
Home Broadband Help & Support Member Centre  
Help > Security > Web Content Filtering > Advanced Web Content Filter
Advanced Web Content Filter

Learn how to use the more advanced features of the web content filter.

The web content filter supports custom lists, giving you more control over the way that content is filtered. There is also support for more advanced proxy settings, ideal if you use the web content filter as a 'parent proxy' to increase your web browsing speed even further. Please note that this article is intended for advanced users.

Custom lists

For detailed information on setting up and using custom lists, read our dedicated Custom Lists Tutorial.
We have split off an extensive tutorial and description to build and maintain your own custom content filtering lists, plus the wildcarding facilities that they also permit.

Additional supported proxy protocols

Although officially the proxy server is intended for non-secure web traffic, using port 80/tcp, you can tunnel/process several different types of traffic.

Alternative HTTP services
For HTTP web connections you are permitted to connect to port tcp/80 through the proxy as well as any HTTP service running on a port above tcp/1025 including HTTPS [443/tcp] and SNews [563/tcp] (via ' CONNECT‘).

Although it's not cached, you can use the proxy with your HTTPS traffic through, although doing so is unlikely to produce any benefits for you.

FTP {21/tcp} and Gopher {70/tcp}
For those that want to, the web content filter can also handle FTP and Gopher traffic.

Miscellaneous services
The proxy server will also permit: wais [210/tcp] and multiling http [777/tcp]

Using web content filter as a sibling/parent cache - ICP usage

Even if you are using your own proxy server, you can benefit from using ours as a sibling or parent cache. There is a protocol called ICP which will tell your proxy server, in the case of a ‘MISS’, to ask our proxy server if it has the website, before it goes ahead and downloads it directly from the source. If we reply with a ‘HIT’ then your proxy will get the website from us which is more likely to be available to download at a higher speed.

Squid proxy server (under Debian)

To use this you should look in your proxy server's configuration manual on how to use ICP and set it to use as a 'sibling' proxy server. If you are using Squid then you should add to your /etc/squid/squid.conf (for Debian Linux users):

cache_peer sibling 3128 3130 default

This will set you to use the proxy ' ' as a sibling proxy for HTTP (3128/tcp) with ICP (3130/udp). If you use anything other than Squid, you should ask your proxy solution provider or consult their documentation. Note that this approach is not suitable if you are using the web content filtering features of the proxy, because it's not used to fetch 100% of the websites you browse.

To use the parent proxy with the added bonus of content filtering you should instead add the following two lines to your /etc/squid/squid.conf file. If for whatever reason our proxy server becomes unavailable your proxy will automatically fallback to non-content filtering until our proxy server returns.

cache_peer parent 3128 0 no-query
prefer_direct off

If you are using the Linux Distrubution, SmoothWall Express Firewall then to configure it to use Cerberus as a 'parent' proxy you should

  1. Open and log into the web interface.
  2. Select the 'services' tab.
  3. Then go to the 'web proxy' tab.
  4. Enable and configure the local proxy so that in the 'Remote Proxy:' box you enter and state that no username or password is required.

Is there a way to force people to use the proxy server?

You may be able to manually add a firewall rule that will force all traffic through the proxy server. You would need to consult your firewall documentation on how this is done. The rule you would want is to block all outgoing TCP (SYN) traffic to the destination port 80, the typical webserver port, except to our proxy server, which is on the IP address

Linux (kernel 2.4 or above)

As root type the command:
iptables -I FORWARD -o (wan-if) { -s ! (proxy-ip) } -d ! -p tcp --dport 80 --syn -j REJECT

where ' wan-if ' is the network interface of your Internet (WAN) connection, such as 'eth0' or 'ppp0'. The bracketed section is optional and depends on if you are running a proxy server (where ' (proxy-ip) ' is its IP address) on your internal LAN and it's not running on your firewall machine; it's not needed if the proxy server is running on the firewall.


As root type the commands:

{ipfw add (index-1) allow tcp from (proxy-ip) to any 80 setup out via (wan-if) }
ipfw add (index) allow tcp from any to 80 setup out via (wan-if)
ipfw add (index+1) reject tcp from any to any 80 setup out via (wan-if)

where ' (wan-if) ' is the network interface of your Internet (WAN) connection. The bracketed line is optional and depends on if you are running a proxy server (where ' (proxy-ip) ' is its IP address) on your internal LAN, even if your proxy server is running on the firewall itself.

WPAD'ing our userbase

Obviously getting our customer base to use the web proxy server is in our best interests as it keeps our costs down. To get the majority of you onto the proxy (without any side effects) we use a system called WPAD (how we do this is described on the Squid website and also an online Wiki) which assists us in automatically configuring everyone to use the proxy server.

Logging and privacy

We do collect and analyse our proxy server log files but only for performance, efficiency and planning reasons. We do not monitor our customer web habits, or conduct profiling.

Did this support article help you?
If not, get further help using Contact Us.
Search Support
Contact Us
Get Online Help from the Customer Support team

Tel: 0845 140 0083
or 0345 140 0200

Fax: 0870 703 8549

The Balance
2 Pinfold Street
S1 2GU