1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Protect Kids online proxy

Discussion in 'Linux & Open Source' started by tomcoleman, Sep 18, 2019.

  1. tomcoleman

    Gangster

    Joined: Mar 11, 2016

    Posts: 226

    hi all,

    im looking to setup a Man in the middle, home DNS, proxy any of those really.

    My kids are starting to use the laptop at home to do homework etc.

    Ive found ways to filter, DNS block (openDNS etc) but need something more granular

    I need to be able to block "keyword searches" and see what they are typing into google/bing.

    I cant install software on the computer as its Windows 10 S edtion and we want to keep it that way.

    Can anyone recommend a good opensource, nice gui etc porxy/firewall/DPI peace of software?

    Or im i doing this the wrong way/method?

    No problem setting things up in shell/cmd etc but dont want tons of information to go through every day something niceley presented.

    I looked at pfense with ntop but doesnt seem todo the DPI / reporting part.

    We use smoothwalls at work which seem nice, but the opensource version hasnt been updated since 2013 and very dated.
     
  2. Nikumba

    Mobster

    Joined: Dec 4, 2002

    Posts: 3,609

    Location: Bourne, Lincs

    Put something like a pfSense box between your router and your network
     
  3. tomcoleman

    Gangster

    Joined: Mar 11, 2016

    Posts: 226

    did you read my post.... :eek:
     
  4. chrcoluk

    Mobster

    Joined: Feb 27, 2015

    Posts: 3,743

    For intercepting things like google search you will need a network wide proxy like squid, perhaps combined with squidguard which works of course with pfsense.

    you could also make their connectivity in a walled garden type thing so e.g. only on ports 80/443/53 etc. Depends how extreme you want to go.

    Actually blocking specific searches is obviously way more diffilcult tho, but using specific filter lists with squidguard tho whilst you may not be able to block the searches you may be able to block what happens when clicking on those search results (the actual websites from loading). There is some very extensive squidguard filter lists out there.
     
  5. tomcoleman

    Gangster

    Joined: Mar 11, 2016

    Posts: 226

    ok so pfense + squid + squidguard ?

    and that can intercept HTTPS and display in a nice format searches & do keyword blocking? ?
     
  6. chrcoluk

    Mobster

    Joined: Feb 27, 2015

    Posts: 3,743

    squid and squidguard are official packages in pfsense so point and click to install, however the configuring I havent touched on yet, so that side someone else can explain or its reading the documentation. lists can be found here. It can intercept https.

    http://www.squidguard.org/blacklists.html

    There is also pfblockerng (use the dev version) which has a massive point and click filter list capability as well, and that has the benefit of been entire network wide not just web browsing.

    As I Said tho keyword blocking is probably going to be extremely difficult.
     
  7. tomcoleman

    Gangster

    Joined: Mar 11, 2016

    Posts: 226

    thanks i'll have a look ;)
     
  8. Armageus

    Don

    Joined: May 19, 2012

    Posts: 10,201

    Location: Spalding, Lincolnshire

    I'll be that guy and disagree - it's more of a parenting issue than a technology issue:


    Education/Trust is a much better method imo. (Coming as a parent of 3 boys 9-15)

    What actually is the issue?
    If it's adult content, then OpenDNS is the easiest method. If it's malware, phishing etc, then pihole or pfblocker and some decent blocklists will help.

    Restricting what can be viewed works to some extent in your house, but doesn't solve issues when your children have a mobile phone, go round a friend's house etc.

    For our 9 year old, he only uses a PC in the living room, and we regularly ask him what he is doing on his Tablet, and what videos he is watching on Youtube on his smart TV.

    Even with older kids, building trust is important - regularly ask them what they've been viewing, and if you can take an interest in what they are doing.
    If you want to check their history etc, then ask them first if you can (e.g. give them the opportunity to own up first before punishing).



    Equally most of the above applies to internet usage at work - although in the case of problem users, we just provide evidence to their managers/HR and let them deal with the problem.
     
  9. SMN

    Wise Guy

    Joined: Nov 2, 2008

    Posts: 2,444

    Location: The ether

    Slight tangent, has anyone had any success setting the HTTP Proxy as a DHCP option? I'm using Unifi at home and this has got me thinking if i can have a seperate squid proxy (with squidguard et al) set for anyone joining the kids wifi/kids VLAN which has its own DHCP Server.
     
  10. chrcoluk

    Mobster

    Joined: Feb 27, 2015

    Posts: 3,743

    I have that setup. Not specifically for kids but for a guest wall gardened network.

    What I did.

    Brought a device to run openwrt as a wifi access point.
    Configured pfsense.

    So openwrt supports VLAN management on many consumer wifi routers. I am using an archer C7.
    I setup 2 wifi networks on each AP, referred to as virtual access points.
    One wifi network goes to one VLAN and the other goes to another VLAN.
    Each VLAN has its own virtual switch, and own DHCP server, and own LAN subnet.
    One VLAN is full access, like a normal LAN, the other has no access to the default LAN subnet (so wouldnt be able to access windows network shares etc.), limited internet connectivity, and lower priority on QoS. Also the full LAN AP is hidden, so need to know the name to try and use it.

    To make this work I also had to configure VLAN's on my pfsense unit as well.
     
  11. morbid42

    Gangster

    Joined: Mar 24, 2011

    Posts: 296

    Location: Sherwood Forest

    Its very simple - Block all websites and whitelist domains over time - school url\learning resources etc This is more feasible as they are younger, and also give you parent\child time.

    Yes youd need spend more time doing it but is the most robust route
     
  12. LabR@t

    Sgarrista

    Joined: Nov 30, 2005

    Posts: 8,513

    I have successfully used untangle on my home network for a number of years, £4 a month and I get detailed reporting, different policies for users, time of day etc.
    I can block all proxies, vpn's etc. Highly recommended.
     
  13. MonkeyBasher

    Gangster

    Joined: Dec 4, 2009

    Posts: 417

    You could probably do alot of this with a cheap PI and PIHole.

    Using a decent DNS setting and updating a good set of lists in PIHOLE will block >90% of the traffic you don't want.
    For the rest you can just check using the GUI once a week and add the nasties to you local blacklists.
    Add the edu sites to your whitelists and you are good to go.

    The only thing I suspect it will not do is search logging / keyword blocking which as above may not be actually what you want anyway.
     
  14. LabR@t

    Sgarrista

    Joined: Nov 30, 2005

    Posts: 8,513

    Untangle utm