Jump to content

Web Filter or Proxy?


G-Stress

Recommended Posts

In the process of setting up 2 machines for my little ones and I want to make sure they don't "accidentally" stumble upon something they shouldn't. I have parental controls and content filtering inside the router which works well, but I'm wanting to have a separate network for just the kids and I want everything on that network to be restricted to appropriate content only. Should I setup a proxy and point their browser's to route traffic through a proxy, is there a web filter app/server software you recommend?   OpenDNS works well, but if I remember right I was able to somewhat view content that should have been blocked. 

The only thing I really want fully open is YouTube.

Thanks in advance. 

I'm open to all suggestions, the more enterprise the better.

Edited by G-Stress
Link to comment
Share on other sites

If you are running chrome this is supposed to be a good option:

https://chrome.google.com/webstore/detail/parental-controls-web-fil/dpfbddcgbimoafpgmbbjiliegkfcjkmn?hl=en

 

I don't know if any off hand but I bet there are some good lists for Squid3 that will also block undesirable stuff.

But if all you want is YouTube then you could probably lock the browser down to just that URL, you can definitely do it at Squid3 level or do it at DNS level.

Link to comment
Share on other sites

Internal squid proxy with URL filtering, or like OpenDNS, setup custom rules in OpenDNS dashboard, which can do similar, and block by domain name, type of site, etc.

Link to comment
Share on other sites

12 hours ago, digininja said:

If you are running chrome this is supposed to be a good option:

https://chrome.google.com/webstore/detail/parental-controls-web-fil/dpfbddcgbimoafpgmbbjiliegkfcjkmn?hl=en

 

I don't know if any off hand but I bet there are some good lists for Squid3 that will also block undesirable stuff.

But if all you want is YouTube then you could probably lock the browser down to just that URL, you can definitely do it at Squid3 level or do it at DNS level.

Depending on how old the kids are, they could turn it off if they know what they are doing, although from the sound of it, they are  a bit younger and might not know about these sorts of things(yet). It's one of the things I worry about with my kids, as they do a lot of homework stuff online and watch YouTUBE a lot, which in itself, is not the best place for kids, as they don't exactly have a lot of filtering options there other than relying on people to flag content or owners to set their own stuff for age groups. There's porn on youtube if you look hard enough and plenty of adult shows not suited for kids on there. Balancing act to keep them from getting into too much without us knowing, which is a lot harder the more savvy they become with the computer.

Link to comment
Share on other sites

get a cheap router from goodwill. Make sure you check the model number before purchase for dd-wrt compatibility... If it has wireless n or 5.8 ghz speeds then that's a SCORE...

 

flash with new open source firmware, configure the device as a kids wifi repeater...

 

Now you can setup custom iptable rules. I'm sure there are already documented iptable configs online for kid safe surfing...

 

Link to comment
Share on other sites

1 hour ago, i8igmac said:

get a cheap router from goodwill. Make sure you check the model number before purchase for dd-wrt compatibility... If it has wireless n or 5.8 ghz speeds then that's a SCORE...

 

flash with new open source firmware, configure the device as a kids wifi repeater...

 

Now you can setup custom iptable rules. I'm sure there are already documented iptable configs online for kid safe surfing...

 

Speaking of which, just found http://www.penguintutor.com/linux/raspberrypi-kidsafe which might work in this scenario.

Link to comment
Share on other sites

Thanks for all the info and quick response guys. My babies are (about to be 8) this Wednesday and 9. Their good kids I don't really worry about them getting curious at least not yet, but I don't want any accidents either. 

I remember hearing about Squid years ago, but I've never messed with it. We primarily use Chrome, but being that IE would still be an option, I want to really lock things down at the router/ap level. YouTube, I agree there are some things on there not suitable for young kids, but that's the one thing where I trust and allow them to watch appropriate content. So far I've been blessed, the biggest issue there is those compilation videos where some clips are fine then some have a lot of cussing, etc. 

I ran DD-WRT for years, but never played with iPtables. I guess now my concern is which would be more reliable/stable and do the best job? If Squid then what would be the best preferred setup via OS to run it on or in a VM? Also does iPtables or Squid do any form of reporting via emial or txt in the even anyone on that network tried to search for say porn or would I have to manually check logs? 

I will probably be using a nighthawk router and soon a UniFi AP Pro access point for that network setup. 

Link to comment
Share on other sites

11 hours ago, G-Stress said:

Thanks for all the info and quick response guys. My babies are (about to be 8) this Wednesday and 9. Their good kids I don't really worry about them getting curious at least not yet, but I don't want any accidents either. 

I remember hearing about Squid years ago, but I've never messed with it. We primarily use Chrome, but being that IE would still be an option, I want to really lock things down at the router/ap level. YouTube, I agree there are some things on there not suitable for young kids, but that's the one thing where I trust and allow them to watch appropriate content. So far I've been blessed, the biggest issue there is those compilation videos where some clips are fine then some have a lot of cussing, etc. 

I ran DD-WRT for years, but never played with iPtables. I guess now my concern is which would be more reliable/stable and do the best job? If Squid then what would be the best preferred setup via OS to run it on or in a VM? Also does iPtables or Squid do any form of reporting via emial or txt in the even anyone on that network tried to search for say porn or would I have to manually check logs? 

I will probably be using a nighthawk router and soon a UniFi AP Pro access point for that network setup. 

If the traffic is controlled at the router then it would take more skill to bypass this filtering...

 

open source router OS that includes iptables really can be powerful.

 

The simplest method might simply be to redirect all the kids traffic to your squid machine.

 

http://www.penguintutor.com/kidsafe.php

 

http://www.pihomeserver.fr/en/2015/09/01/un-controle-parental-grace-au-raspberry-pi-squid-et-squidguard/

I like how the squid config looks at this last weblink...

 

If you get your self a propper setup please share the configuration files.

 

Installing certificates on the kids devices also brings the ability to log the traffic.

 

  • iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
  • iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
  • iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

 

Edited by i8igmac
Link to comment
Share on other sites

If you have a raspberry pi you could always use pi-hole.

https://pi-hole.net/

Do not know how advanced your router is but if you can setup separate DNS options for reserved clients then you can setup their DNS to point to pi-hole.  Now you can blackhole any DNS requests to sites you do not want them having access to.  Do not know if pi-hole can mac filter requests but I do know it can act as a DHCP server too.  It will give you an insight of all the queries they make too..in essence their sites.  It pretty much black holes any DNS requests for sites you do not want.

You could go with squid but you will need to tell the clients to use it via proxy settings.  If you are really serious you could put a Snort/Saracata machine in line to do sniffing and filtering which will force them through it.  Adding a cert trusted by the clients will give you insight into their https request contents as well.

Link to comment
Share on other sites

6 hours ago, PoSHMagiC0de said:

If you have a raspberry pi you could always use pi-hole.

https://pi-hole.net/

Do not know how advanced your router is but if you can setup separate DNS options for reserved clients then you can setup their DNS to point to pi-hole.  Now you can blackhole any DNS requests to sites you do not want them having access to.  Do not know if pi-hole can mac filter requests but I do know it can act as a DHCP server too.  It will give you an insight of all the queries they make too..in essence their sites.  It pretty much black holes any DNS requests for sites you do not want.

You could go with squid but you will need to tell the clients to use it via proxy settings.  If you are really serious you could put a Snort/Saracata machine in line to do sniffing and filtering which will force them through it.  Adding a cert trusted by the clients will give you insight into their https request contents as well.

I'm not doubting the idea here just pointing out the configuration I have explained with the use of a kid-safe-wifi-access point...

 

All devices associated will be effected by the iptable rules with out the need to configure proxy settings on each machine or each application...

 

You can forward the traffic to pi-hole or squid... the access point running iptable rules is simply a control point...

 

full control of traffic is full control.

Link to comment
Share on other sites

Thanks again guys for all the suggestions and info. I'm finally getting around to messing with this. Currently setting up 2 VM's 1 of Ubuntu Desktop 16.04.3 and Ubuntu Server 17.10 to play with Squid. I didn't do much research yet and am not sure if those are even the best base OS to run Squid on, I simply did one search for Squid setup or something like that and the first OS I saw mentioned was Ubuntu.

OpenDNS is nice, but easy to get around. I saw something about SafeDNS, but haven't checked it out yet. @PoSHMagiC0de I have quite a few router's, ASUS and Nighthawk series are what I primarily use, but I had forgotten all about Untangle and PFSense. I had two PowerEdge 650's in my rack running those as router's behind 2 modem's at 1 point years ago. 
 

You all have given me a lot of good idea's and advice and I greatly appreciate it. I'm gonna to mess with Squid and iptables first to at least familiarize myself with them. Just curious, if a medium to small business owner was in need of the same or similar solution would any of the above recommendations change/be different? 

Link to comment
Share on other sites

7 hours ago, G-Stress said:

Thanks again guys for all the suggestions and info. I'm finally getting around to messing with this. Currently setting up 2 VM's 1 of Ubuntu Desktop 16.04.3 and Ubuntu Server 17.10 to play with Squid. I didn't do much research yet and am not sure if those are even the best base OS to run Squid on, I simply did one search for Squid setup or something like that and the first OS I saw mentioned was Ubuntu.

OpenDNS is nice, but easy to get around. I saw something about SafeDNS, but haven't checked it out yet. @PoSHMagiC0de I have quite a few router's, ASUS and Nighthawk series are what I primarily use, but I had forgotten all about Untangle and PFSense. I had two PowerEdge 650's in my rack running those as router's behind 2 modem's at 1 point years ago. 
 

You all have given me a lot of good idea's and advice and I greatly appreciate it. I'm gonna to mess with Squid and iptables first to at least familiarize myself with them. Just curious, if a medium to small business owner was in need of the same or similar solution would any of the above recommendations change/be different? 

Squid will do what you need, but nothing is 100% full proof if someone really wants to get around it. If you only allow http and https to flow over the proxy then you should be good. if your kids know how to SSH tunnel or VPN out, then you're shit out of luck :)

Link to comment
Share on other sites

Right! Their 8 and 9. I never had a father, but I figured I will allow them to be kids until "double digits". Then they will start taking things apart and tinkering. I don't think I'll have any major issues with them, I'm more or less more worried about "accidental discovery". 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...