# [solved] porn blocker  for Linux?

## Tony0945

Here's my situation: My son-in-law has taken my 15 year old grandson's computer away because he watches porn and gunks it up with viruses. Besides, he's forbidden to watch porn. He needs the computer for school and I hate to see any young person cut off from the net.  I could install Gentoo for him as a net appliance like I did for my wife, but how to block the porn? They won't let me do it unless I can install a porn blocker.

Does a Linux version of NetNanny exist? Even if it's not an ebuild, I could try my hand at making one.

What about a list of sites blocked in /etc/hosts? If I protected it with root access, he couldn't change it. Does anyone know of a public list of sites? I rather doubt if NetNanny would run under wine and besides, it's too intrusive, reading e-mails and such. I'd feel like a Peeping Tom.Last edited by Tony0945 on Sun Nov 29, 2009 6:20 pm; edited 1 time in total

----------

## depontius

There's a web proxy called "squid".  There's an add-on for squid called "squid-guard" that might do what you want.  I'm pretty sure the former is in portage, not sure about the latter.  Anyway, this is a starting point.

----------

## NeddySeagoon

Tony0945,

Blocking sites of any type is a lost cause. They get cached by search engines, more spring up and you would find its a full time job keeping up.

You can add things to /etc/hosts to direct site names to localhost, so the site is not contactable by name but browsing by IP will still work.

You can add IPTABLES and a block list but maintainence is still a lot of effort and unless you block major search engines, the sites will be in the caches. IPTABLES has a more subtle blocking mechanism. Timed access. This can be set to allow network access only at certain times (I think it can do durations too) so there could be time for doing homework but not much more.

IPTABLES can also throttle the connection to the point where watching streamed video is not practical.

None of this will stop your 15 year old grandson watching porn - he will get it from his pals on DVD, USB keys or whatever.

I suppose you could remove the video player applications - no Flash or any sort of video until he behaves, then install a video player after hes got used to using the system as his parents intended. 

Gentoo, or any Linux will stop the viruses though - he can still download them but they won't run.

----------

## djdunn

you may be able to find a set of IP's and plug them into IP tables to block, but unfortunately porn websites are a dime a dozen nowadays and even programs like netnanny aren't very effective anymore 

there is a program you could try to use called DansGuardian,  it might be a little better at blocking sites than a strict ip table for such things, but the safer you try to get the more likely you are blocking safe sites. 

An example of over-zealous filtering was the tendency, in some filters, to filter of all sites containing the word "breast", on the assumption that this word could only be mentioned in a sexual context. This approach had the consequence of blocking sites that discuss breast cancer, women's clothing, and even chicken recipes.

Similarly, over-zealous attempts to block the word "sex" would block words such as "Essex" and "Sussex". For some reason, one filter blocked looking up the word "swallow"

Content-control software has been cited as one of the reasons Beaver College decided to change its name to Arcadia University, as content-control software had been blocking access to the college Web site. Another example was the filtering of Horniman Museum. 

also know that the USA and something President Obamma is working on trying to ratify the Convention for the rights of the child which would make such content software illgeal in the usa concerning sections 13 and 17 of that document.

Article 13

1. The child shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of the child's choice.

2. The exercise of this right may be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:

(a) For respect of the rights or reputations of others; or

(b) For the protection of national security or of public order (ordre public), or of public health or morals. 

article 17

Article 17

States Parties recognize the important function performed by the mass media and shall ensure that the child has access to information and material from a diversity of national and international sources, especially those aimed at the promotion of his or her social, spiritual and moral well-being and physical and mental health.

To this end, States Parties shall:

(a) Encourage the mass media to disseminate information and material of social and cultural benefit to the child and in accordance with the spirit of article 29;

(b) Encourage international co-operation in the production, exchange and dissemination of such information and material from a diversity of cultural, national and international sources;

(c) Encourage the production and dissemination of children's books;

(d) Encourage the mass media to have particular regard to the linguistic needs of the child who belongs to a minority group or who is indigenous;

(e) Encourage the development of appropriate guidelines for the protection of the child from information and material injurious to his or her well-being, bearing in mind the provisions of articles 13 and 18.

----------

## Tony0945

Thanks for all the feedback. Every one of you had valuable posts.

Squid might be the thing for a fig leaf to satisfy my son-in-law. My daughter already knows that trying to keep a teen age boy from sex is like trying to stop Niagra Falls with a bucket.  

I do know why "swallow" is blocked, but I'm a dirty old man and have been for about half a century.

I'm going to offer to set up a hard drive with Gentoo and squid-guard and hope the boy learns some discretion. At least he can get to his homework sites without viruses. Unless they are like some that accept IE only. Then I might go with wine and not let him know that it can run other programs. OTOH, it might make a good experiment to see if Windows viruses can be contained within wine.  I'll start with native Firefox and see if he has enough creativity to get around squid-guard.

----------

## timeBandit

Moved from Gentoo Chat to Networking & Security.

----------

## Hu

If the parents persist in requesting a filtering solution beyond basic Squid, you could use the time-based restrictions described above to restrict network access to occur only when an adult is around to supervise.  If the computer is in a reasonably public place, then he may not risk getting caught when the adults are around, and will not be able to explore while they are sleeping or away from home.

----------

## cach0rr0

i may get flamed for this, as i know opinions on the matter are mixed

but

OpenDNS is free, and allows you to block certain categories of sites. 

Assuming you configure the router to push out OpenDNS servers via DHCP, and don't give the kid permissions to change resolv.conf, this would be one layer that would prove beneficial. 

For Windows, there is http://www1.k9webprotection.com/

I don't like client-side apps any more than the next guy, and actually used to work for one of those folks' competitors so have a natural negative bias, BUT...it works as advertised, and is free. 

Both of those coupled with something like DansGuardian should at least knock off the bulk of what he has access to. 

Now all of those are purely URL category based solutions - if you look at the commercial content security industry, they've wavered back and forth between saying URL categorization lists are the end all solution, and saying they're useless, finally coming to a happy medium and realizing they should be used simply as something to take the load off of applications that do lexical analysis of page content. Scanning page content is an expensive task from a resource perspective, but is by far the most difficult for even the most savvy fella to circumvent. 

I've not tried scanning page content within Squid, so don't know if you can - but if you can, keeping a list of "naughty" words and blocking sites if the page contains the naughty word would do a tremendous amount - especially if you do a "block site and add url to banned list" sort of action. Of course, this does require ongoing maintenance as the list would eventually become quite large, and as with any solution false positives are bound to occur - but when false positives DO occur, better to have the kid come ask you what's going on. 

Having said all of that, you can only secure what you have control of - the kid will just go to his buddies' houses and download porn, or find some other way to bring it in. For thumb drives, remove USB Mass Storage support from the kernel. For CD's, dont add the kid to the 'cdrom' group. 

Sorry, my thoughts are jumbled as I'm posting this from the crapper, but hopefully this is of some use. Post back if you have any questions.

----------

## maguire

I second the OpenDNS suggestion.  It is instantaneous to set-up, and it requires some computer knowledge to get around.  Considering that a huge percentage of the kid population has never heard of an "IP address", it may be all you need.  It works in my house!

----------

## d2_racing

Nice trick  :Razz: 

----------

## kernelOfTruth

 *maguire wrote:*   

> I second the OpenDNS suggestion.  It is instantaneous to set-up, and it requires some computer knowledge to get around.  Considering that a huge percentage of the kid population has never heard of an "IP address", it may be all you need.  It works in my house!

 

++

works great,

in case you need to unblock sites this can be done by "always allowing" it

you can also block anonymizers and other stuff ...

----------

## Dammital

I didn't try to block stuff when my kids were growing up, knowing that it was a futile cat-and-mouse game that I would lose.  Instead I made it clear that I could monitor everything they did.  I controlled the household network firewall, and after I showed them that their browsing was auditable my work was done.  Never had a lick o' trouble.

Have your son-in-law install that squid proxy, and keep logs.  That changes his insolvable technical problem to his son's problem.

----------

## boerKrelis

Installing Gentoo on your grandson's laptop is a great idea anyway. Watching stuff compile will make him completely forget about the porn ;-)

Joking aside, you could run Squid on the firewall, transparently intercepting HTTP traffic. Then, occasionaly run 'net-analyzer/sarg' to see if there's been any excessive porn browsing.

The OpenDNS idea is not such a bad one either. Actually, that's much better for your grandson's privacy than running sarg. Sarg is very much 'peeping-tom'. OpenDNS will be enough to keep your son-in-law happy, too.

Your grandson will find a way to watch porn anyways. Since you state that your main concern is that he will not be cut off from the net, and since the porn ban seems to be an idea of your grandson's, this might make everyone happy. You because your grandson can still browse the net, your grandson because he can still browse the net (and watch porn from a usb stick), your son-in-law because he thinks there will be no more porn browsing.

----------

## xtz

Why everyone are so convinced that he can still watch the porn from a usb stick or cd/dvd? You can always also disable these devices at all, or allow only root to mount them. Also, the idea about the video player is not so bad one, if he actually needs the notebook only for school. Well, it might not last long, as HTML5 supports embedded video and if sites like porntube decide to take this approach and implement it - a player will not be needed (but I guess codecs will be, thou so a solution will be not to install any codecs at all). However, I'm not really sure if you (as a regular user) download the codecs and compile the source of an open source browser with support for them, will allow them to watch HTML5 video. But I don't think your grandson will be that much into things, unless he is a real porn addict. And even if you block the video - there are still porn pics, as you well know, so I think the best solution is to just talk to the kid  :Smile: 

----------

## fangorn

If he gets around OpenDNS, a filtering proxy and a root-only mounting policy, at least the world has gained another security geek.  :Wink: 

In my recollection there is nothing more motivating than puberty  :Twisted Evil: 

Maybe it would help talking to him to not make his favorite pictures the Desktop Backdrop  :Laughing:  Also an advisory on TrueCrypt and containers could help.

----------

## boerKrelis

 *xtz wrote:*   

> 
> 
> Why everyone are so convinced that he can still watch the porn from a usb stick or cd/dvd? You can always also disable these devices at all, or allow only root to mount them. 
> 
> 

 

He needs the laptop for school. He will most probably need those devices.

The point everyone is trying to make is that not all porn is transported over plain HTTP, there are so many other means (especially if some friends of his cooperate), removable media being one of them.

 *xtz wrote:*   

> 
> 
> I'm not really sure if you (as a regular user) download the codecs and compile the source of an open source browser with support for them, will allow them to watch HTML5 video.
> 
> 

 

If he has access to a compiler and his homedir is mounted without noexec all bets are off. I can compile Firefox and install it in my homedir without being root. There, I now have HTML5 video. But I don't even need HTML video, I can just install the flash plugin into my homedir.

Solution to this particular problem: mount all user-writable filesystems with noexec. Going further, you'll also need to disable access to a Java runtime environment, as well as interpreters for languages such as Python. Otherwise he could just download some Java video player (java classes don't need unix execute rights to be loaded onto the VM) or code up something with the python bindings for gstreamer. But so much other stuff he'll need to run will depend on Python.

I'm trying to illustrate that this is a dead end. And local restrictions aren't going to do much good anyway if you don't control the network as well.

----------

## Gentree

 *Dammital wrote:*   

> I didn't try to block stuff when my kids were growing up, knowing that it was a futile cat-and-mouse game that I would lose.  Instead I made it clear that I could monitor everything they did.  I controlled the household network firewall, and after I showed them that their browsing was auditable my work was done.  Never had a lick o' trouble.
> 
> Have your son-in-law install that squid proxy, and keep logs.  That changes his insolvable technical problem to his son's problem.

 

By far the most intelligent approach AFAICS. Although it assumes that said S-I-L has some parental authority.

How does he stop the son stealing from him? Hide his money or explain that theft is not acceptable?

Resorting to technical tricks is to admit defeat on the basic issue. Who runs the home.

/m2c/

----------

## mikegpitt

Even though this thread is marked as solved I wanted to re-iterate others suggestions for dansguardian.  It is likely your best option here, although would be great combined with other solutions like opendns mentioned above.

----------

## cach0rr0

 *boerKrelis wrote:*   

> 
> 
> If he has access to a compiler and his homedir is mounted without noexec all bets are off. I can compile Firefox and install it in my homedir without being root. There, I now have HTML5 video. But I don't even need HTML video, I can just install the flash plugin into my homedir.
> 
> Solution to this particular problem: mount all user-writable filesystems with noexec. Going further, you'll also need to disable access to a Java runtime environment, as well as interpreters for languages such as Python. Otherwise he could just download some Java video player (java classes don't need unix execute rights to be loaded onto the VM) or code up something with the python bindings for gstreamer. But so much other stuff he'll need to run will depend on Python.
> ...

 

Think about the likelihood of what you are saying. 

If the kid knows linux, or can code, then sure all bets are off. 

And yes some of us grew up fiddling with GWBASIC on your parents' 286 machines, but 99% of the population did not. 

If the kid is clever enough to write python bindings for gstreamer, it's a fairly safe bet he knows he can just boot from a thumb drive, chroot, and change the root password, which renders the need to do all of that null and void. 

And a kid who is capable of crafting python bindings for gstreamer, now having root on the box, will be clever enough to set up an SSH tunnel to one of his buddies' machines that runs a proxy, allowing him to circumvent filtering completely network or otherwise. 

Due diligence. Secure the endpoint best you can, secure the network best you can, but if the kid is both a talented coder AND a porn addict, there is no way to really control what he does aside from talking to the boy.

----------

## Aquiles

I would suggest to add this very thread to the list of blocked sites, because should the kid read the posts here, he will know what he is facing and get a lot of hints on how to find workarrounds...

----------

## cach0rr0

 *Aquiles wrote:*   

> I would suggest to add this very thread to the list of blocked sites, because should the kid read the posts here, he will know what he is facing and get a lot of hints on how to find workarrounds...

 

No need, most URL categorization services already list FGO as "Ricer Porn"  :Razz: 

----------

