Sunday, October 30, 2011

Managing Internet Content Access at Home

Like many of us, our children are accessing the Internet at home every day for many reasons including school homework, socializing, personal research, music shopping, etc. I like to encourage this too since the Internet medium will only provide more functionality and information as time progresses. The only concern I have is how does one prevent access to adult oriented material and yet provide access to all other "age appropriate" data.

There are parental controls built into some of the commercial anti-virus software such as Norton and others. However, this normally requires one to lock down the computer(s) so your children do not have administrative access. For young children, locking them out of administrative access is probably completely appropriate, but as they reach pre-teen years, I personally like my children to administer their own computers(s). I think this is good learning exercise for them and only enhances their computer skills. Besides, this gives me one less computer to manage!

How to filter
So what is one to do to filter out content that we deem in-appropriate for our children? Well, this takes some technical networking knowledge to implement. What I am about to describe is for the parents that are comfortable in unix, networking, and basic firewall configuration. Let's start with a physical overview of my setup here. As you can the Freebsd box is running as my router, obtaining a public IP via my Uvsere Gateway, acts as a firewall, and performs NAT for clients on the private "Home" LAN. What the diagram does not show is how it performs Internet Content Filtering and the diagram for that is here.

One of easiest ways to filter Internet sites is use OpenDNS. The utterly fantastic DNS service that is free for home use and is just awesome. You can configure site access based on categories and this in itself will take care of much of the Internet Content Filtering for you, but not all. You could say I use OpenDNS as my pre-filter and then Dansguardian for the rest.  This allows me a very granular level of control.  In order to use OpenDNS you have to point your clients to use the OpenDNS DNS servers versus your IP Service Provider's DNS Servers. There are other steps involved so please read up on the service and their website. In my configuration at home, I use a caching name server and point it to the OpenDNS Servers as forwarders.  I can't say enough about OpenDNS - use it!

The Firewall - IPFilter
The firewall I use is called IPFilter sometimes called ipf and comes with Freebsd. I have used it for years, find the syntax to be very easy to understand, and the documentation is located in the Freebsd Handbook here.  TheNetwork Address Translation box on the former diagram is actually part of IPFilter and I separated it out in the diagram because it is configured separate from the firewall.

The former diagram illustrates Dansguardian making the decision if the Internet traffic outgoing request should be permitted or not. It does that in two ways:

  1. Content filtering - looking for words and phrases that you have configured to be permitted or not.
  2. Blacklist filtering - list of sites organized in categories that you can block or permit. For example, I have all gambling sites blocked. However, it's very easy to configure a site to be permitted despite being in one of the blocked categories. For example, if I blocked all news sites, I could configure it to permit through if so desired. Note that with blacklist filtering you have to update your list of categories/sites regularly to stay current and the Dansguardian site provides links to providers of blacklists.
Apache Traffic Server
Apache Traffic Server is an optional component. In my configuration it is acting as a forward proxy caching sites to speed up access. Many sites in our household are regularly accessed and by caching the sites, I speed up Internet access. I used to use Squid, but I found Apache Traffic Server to be much faster.

I have shown you one configuration you can use for content filtering for your home. As I mentioned earlier, I would only pursue this type of set up if you are comfortable in unix, networking, and firewalls. I have been involved in networking, firewalls, and other Information Technology areas for some 20 years now so the work involved is straight forward for me. If you have questions or feedback, feel free to post a comment or contact me at:  john at mysnmp dot org  I would appreciate any/all feedback.

No comments:

Post a Comment