Tuesday, October 18, 2011

Content filtering for minors

I use DansGuardian as a content filter for our local network.  Much to my children's chagrin, they are not allowed to access sites that are rated above their pay grades, nor to sites that contain content that, via a set of weighted phraselists, is deemed to be too mature for them.  Finally, they're completely disallowed to access files based on filetype (e.g. exe, zip, rar, bz2) and mime type -- basically, they are not allowed to download executable files.

After having a few of my (now adult) children have their computers toasted by malware and whatnot (10 or so years ago), and after one of them accidentally fell into pop-up porn hell, I set this system up to try to protect them from themselves.  Since then, I am happy to say that nobody has had their computer lost to the bad stuff.  (But the credit for this obviously goes to DansGuardian.)

I use Shorewall as my firewall solution, and configure it to (transparently) redirect all outgoing traffic on port 80 to Dansguardian (on port 8080):
REDIRECT lan 8080  tcp www  # redirect LAN-www to local 8080
Dansguardian relays the requests to a proxy (originally I used Squid, but I have also configured Apache's proxy module), and you should probably block access from the LAN to the proxy ports, lest someone configure their computer to bypass your content filter.  I have not done this because at times I do exactly this and configure a computer to directly access the proxy.  So far, nobody has figured this out (I do check occasionally) so I haven't worried about it.

For computers that should bypass the content filter, like my Wife's, I define a variable in /etc/shorewall/params listing the MAC addresses of those computers:
RIKKI_IPAD=~ed-0d-59-b7-c7-5d
RIKKI_IPHONE=~24-ab-81-fd-71-c4
Then, I define a variable that includes all of the systems that should bypass the filter:
MACS_NOT_FILTERED=$RIKKI_IPAD,$RIKKI_IPHONE,...
Then, finally, in /etc/shorewall/rules I specify that these should bypass the filter:
ACCEPT+  lan:$MACS_NOT_FILTERED net tcp www 
The ACCEPT+ target is like ACCEPT, but it also prevents further rules from matching, so by placing this rule above the REDIRECT rule, we ensure that  $MACS_NOT_FILTERED will never reach the REDIRECT rule.

One final issue I've had is that DansGuardian allows me to "whitelist" sites using /etc/dansguardian/lists/exception{site,url}list files, but some of my [linux] systems try to get updates from one of any number of mirror sites, and I don't necessarily know all the mirror sites and even if I could be bothered to find out, I wouldn't want to manually maintain a list of exceptions.  So, instead I used /etc/dansguardian/lists/exceptionregexpurllist to allow access to any mirror (in this case, the CentOS 6.0 servers):
 ^.*centos/6.0/(os|extras|updates)/x86_64/.*$
Unfortunately there isn't a very good way to have the kids hit a blocked page, and allow them to have access for a limited time.  DansGuardian has some functionality to allow you to get "warned" but then continue onto the site, but it doesn't have a way to issue "tokens" that would expire after a period of time.  To try to help solve this issue, I've started playing with a form that adds exceptions to the DansGuardian configuration (the form only being shown to the adults by having them in their own filtergroup).  But this is a very immature solution so far.

That said, I think DansGuardian is an excellent tool for networks with children, and I highly recommend it.

No comments:

Post a Comment