Any Help – I want a secure TEEN PC



  • Can anyone offer suggestions, im looking to make a bulletproof (TEEN PROOF ) PC, i have a 16 year old boy that has no interest in schoolwork and is being threatened with having to repeat his current year of highschool.

    What i am after is a logical approach to content filtering, i tried to install Dansguardian, also tried pfBlocker and Squidguard, but i think i went overboard, as my connection speed went from 10-11Mbs down to 2.5-3.0Mbs…...i think i had too many packages trying to do the same task.
    At first i suspected the pfSense system as the culprit, so i wiped the HDD and installed IPCop. On a base install i got 10-11Mbps from a 12Mbps connection, not bad as i'm at the end of the line in distance from the exchange....but my ISP is quite good.
    I updated IPCop to it's latest update, and all was good. I then wiped the drive again, re-installed pfSense 2.0.3 and got 10-11mbps as i should.
    I updated to pf 2.1 and the speed is still fine...so i know i had slowed it myself. Problem Fixed.

    I had added Dans -- pfBlocker -- Squid -- Squidguard,and also had snort, bandwidthd and nTop running, i guess the load was too high.

    Now i'm on a clean install, but want to BLOCK a single IP from accessing various sites. These include : FACEBOOK, TAGGED, TWITTER and all Anime and gaming sites.
    And all porn and adult sites aswell, i want to make the PC a schoolwork and school related machine only.

    Can anyone offer some advice on this ?

    I have never had to limit access before so i'm a total noob to parental control.

    And before anyone comments, i'm not being mean to the child, but he sit's mouthwide and dopey in front of the TV while the Teletubbies are on......and at almost 17, i don't think that's right....i am trying to make him learn...not turn into a George W clone......



  • Use OpenDNS to do content filtering, it's free.  Block all DNS queries except to their DNS servers.  Manage contact blocking with their tools.  This won't slow down your internet connection at all.  I have this in place for my own kids.  Woeks great.



  • @tim.mcmanus:

    Use OpenDNS to do content filtering, it's free.  Block all DNS queries except to their DNS servers.  Manage contact blocking with their tools.  This won't slow down your internet connection at all.  I have this in place for my own kids.  Woeks great.

    Sorry, not what i'm looking for…i want control from my PC, not from a serviced site, but thanks anyway for the suggestion.



  • bulletproof (TEEN PROOF ) PC

    There's no such thing without work, unless you use a third party service. This is what those services are for – to make it easy. (Really it makes it "easier" since without firewall rules it can be bypassed.)

    Traditionally, if you want to control this on a single PC, try mapping localhost (127.0.0.1) to the domain in the PC's hosts file. All PCs have this file, and it is referenced before DNS, so any mappings defined in this file will take priority. (Think of it as an override.)

    For Linux/Unix systems it is located here: /etc/hosts <-- hosts is the file.

    For Windows systems it is located here: C:\Windows\system32\drivers\etc\hosts <-- hosts is the file.

    For example, to block the domain example.org you would add this to the hosts file:

    
    127.0.0.1 [hit the tab key, and don't ] example.org
    127.0.0.1 [leave spaces or brackets   ] www.example.org
    127.0.0.1 [between IP and domain      ] ftp.example.org
    
    

    This will cause the browser to display a 404 Page Cannot Be Found error for browsers since the site will not be hosted on the local computer. It works with any type of service (web, ftp, chat, etc) and protocol.

    It's old school but effective for the less than savvy teenagers. If you're worried about the file being edited, make the user that your teen logs into the system with a non-Administrator. The OS will prevent him/her from editing the file.

    This is not 100% bulletproof and still takes some work, but it is managed without installing additional software and localized to the target PC.

    Have fun! :)



  • @netritious:

    bulletproof (TEEN PROOF ) PC

    There's no such thing without work, unless you use a third party service. This is what those services are for – to make it easy. (Really it makes it "easier" since without firewall rules it can be bypassed.)

    Traditionally, if you want to control this on a single PC, try mapping localhost (127.0.0.1) to the domain in the PC's hosts file. All PCs have this file, and it is referenced before DNS, so any mappings defined in this file will take priority. (Think of it as an override.)

    For Linux/Unix systems it is located here: /etc/hosts <-- hosts is the file.

    For Windows systems it is located here: C:\Windows\system32\drivers\etc\hosts <-- hosts is the file.

    For example, to block the domain example.org you would add this to the hosts file:

    
    127.0.0.1 [hit the tab key, and don't ] example.org
    127.0.0.1 [leave spaces or brackets   ] www.example.org
    127.0.0.1 [between IP and domain      ] ftp.example.org
    
    

    This will cause the browser to display a 404 Page Cannot Be Found error for browsers since the site will not be hosted on the local computer. It works with any type of service (web, ftp, chat, etc) and protocol.

    It's old school but effective for the less than savvy teenagers. If you're worried about the file being edited, make the user that your teen logs into the system with a non-Administrator. The OS will prevent him/her from editing the file.

    This is not 100% bulletproof and still takes some work, but it is managed without installing additional software and localized to the target PC.

    Have fun! :)

    That's a BLOODY BRILLIANT idea and the perfect solution, why the hell didn't i think of that myself ??

    Saves me trying to learn Dansgaurdian and it's related stuff. Thanks again  ;D



  • DNS is absolutely the way to go - Then lock down the admin privileges on the machine and put him on a guest account.



  • @kejianshi:

    DNS is absolutely the way to go - Then lock down the admin privileges on the machine and put him on a guest account.

    I think your right. I went for the easy option with edited hosts file, but both IE and Firefox dont really like a 9Mb hostfile…....they were still trying to open
    google after 30 minutes...

    DNS looks like the better option.



  • @tim.mcmanus:

    Use OpenDNS to do content filtering, it's free.  Block all DNS queries except to their DNS servers.  Manage contact blocking with their tools.  This won't slow down your internet connection at all.  I have this in place for my own kids.  Woeks great.

    After looking at hosts file edits, and DNS lookup options, i had a closer look at your suggestion, as the simplest, quickest fix, it works fine.
    Thanks for the help..using both OpenDNS and a modded host file, 90% of what i needed has been achieved.



  • Glad to see you got it worked out op. A couple of questions though.

    both IE and Firefox dont really like a 9Mb hostfile

    How the heck did you end up with a 9MB hosts file? ::headscratcher:: I just checked mine and with 15,000+ entries it's barely 500KB. Based on some simple math (15,000*2)*9, you're sporting somewhere around 250,000 lines in the hosts file. Just curious.

    DNS is absolutely the way to go.

    Domain name resolution is domain name resolution, whether it's DNS or a hosts file. I'm just curious why "absolute" was used when from my experience, anything computing/internet/technology is anything but. Again, just curious.



  • The combination of OpenDNS and dansguardian is hard to beat.

    If you want something turnkey that looks to be similar, take a look at this http://pandorashope.com/. I haven't actually tried it, but it looks to be very similar… As a matter of fact, I'd be surprised if it isn't running dans under the covers.  Only problem is that they want a yearly subscription fee.



  • OK, I just did this for my house.  With iphones, tablets, and multiple laptops, I wanted to lock down things on the network versus working on all the platforms.

    First install squid, that will put down a proxy server, I configure it to be transparent, and have everything go through it. Once that is working properly, then set up squidguard, It has to be set up, choose a blacklist, download a blacklist, and finally setup the rules.

    Setup for proxy: https://doc.pfsense.org/index.php/Setup_Squid_as_a_Transparent_Proxy
    setup for Squidguard: https://doc.pfsense.org/index.php/SquidGuard_package

    What really makes it hum, is if you set the Target Rules List -> default to deny, the proxyguard will block everything that it doesn't know about.  So all the sites that the blacklist  is unaware of will be shutdown.

    there might be some pains because there will be a large amount of blocked sites that you need to open up, but the access it tight and you are loosening.



  • @netritious:

    Glad to see you got it worked out op. A couple of questions though.

    both IE and Firefox dont really like a 9Mb hostfile

    How the heck did you end up with a 9MB hosts file? ::headscratcher:: I just checked mine and with 15,000+ entries it's barely 500KB. Based on some simple math (15,000*2)*9, you're sporting somewhere around 250,000 lines in the hosts file. Just curious.

    DNS is absolutely the way to go.

    Domain name resolution is domain name resolution, whether it's DNS or a hosts file. I'm just curious why "absolute" was used when from my experience, anything computing/internet/technology is anything but. Again, just curious.

    My hosts file i made was something along the lines of 2 million entries, it took notepad 10 minutes to write just to view it…...hence the reason i gave up on that idea....when your trying to block the ENTIRE Internet via a host file...it's going to get rather big...TEE HEE....i gave up on it after adding every blacklist google could find.....bloody thing was impressive, but not at all useful.

    But with the suggestions offered to my 1st post, and some lateral thinking i got 90% of what i wanted, all Chat Social and Anime sites are blocked and 95% of game sites are blocked, all i need to fix now is the Porn....some still slips through.