Using an Mini-ITX motherboard and some spare parts lying around my study, I was able to put together an extremely powerful internet filtering appliance that is not only powerful but fast, reliable, and darn near impossible to circumvent by computer savvy teens. Most parents do not want to bother becoming the internet police of the household but today’s internet is a very hostile place with many different opportunities for trouble.
I’m not that familiar with Squid but from what I could understand, there’s nothing here that prevents an ssh tunnel to another host on the outside and accessing the Internet via that. Even if port 22 is blocked, an SSH server anywhere between the following range seems possible:
acl Safe_ports port 1025-65535
Again, I’m not that familiar with squid, but I’d expect the kiddies will figure this out quickly and work around it this way.
Still this is a very nice article and a good read.
That creates the ACL, but it’s the http_access lines that actually implement the ACL. The Safe_ports ACL is used like so:
http_access deny !Safe_ports
http_access allow localhost
So, only localhost is allowed to connect, which means only connections redirected via iptables are allowed to connect to Squid.
However, where this setup breaks down is that FTP and Windows file sharing is allowed to ANYWHERE!! Which means, any kid smart enough to figure out SSH can connect to an SSH server running on port 21, 135-139, or 445, and have unrestricted access to the Internet via SSH tunnelling.
Why in the world would anyone allow SMB shares to the Internet?? Boggles the mind. (Actually, what boggles the mind is why anyone would run Linux as a firewall, considering the horrible syntax for iptables comapared to PF or even IPFW on any of the BSDs.)
“darn near impossible to circumvent by computer savvy teens”
actually, more like, darn near impossible to prevent computer savvy teens from circumventing it.
the internet is for porn and the only possible way to prevent it is a host white list, which makes the internet annoyingly difficult for anyone to use.
– Jesse
I hate it when governments, ISPs, and libraries decide they want to become internet nannies for us and filter everything for us (including tons of legitimate content, false positives). But a personal appliance you can put in your home is brilliant. That GIVES people control over their internet connection instead of taking it away. Good show!
On top of all that, you can add other useful things like DNS caching, for instance.
The internet, like almost everything else (in particular alcohol consumption and driving,) all comes down to who is willing to take responsibility. Sadly most people out there are willing to/prefer to pass the responsibility to another party, hence the over abundance of ridiculous protection systems as mentioned above. Sadly that usually means that something mom and dad have to take care of isn’t going to be as popular as it should be.
This is a great idea and something that should be done, but it all comes down to responsibility and until we stop saying “someone else is responsible for watching what my kids do” and start saying “I’m a responsible and caring parent and am going to do what I have to do to protect my family,” the world will continue to go in the direction of “1984” and “Big Brother.”
Edited 2009-01-18 09:01 UTC
Excellent article!
People who don’t want to filter what their kids are exposed to also believe that you shouldn’t discourage cursing, should allow kids to have sex at any age, or that kids don’t need to learn how to speak properly. They are basically anarchists, which is the opposite of society.
Society is the implementation of filters that allows people to interact in a decent manner. The Internet is rather anarchist, and teaching kids that filters are important in every aspect of life is a responsibility that is too often avoided in modern society. This accounts for the high, high rates of STDs, teenage pregnancy, drugs, gangs, runaway kids, and later in life, malicious hackers, and unethical stockbrokers, real estate brokers, and bankers.
It would be great if this project is done with your kid (if old enough). Yes, they could learn how to circumvent it, but they would learn the value of filters and limits with you — which is an invaluable lesson. They would also learn how people have the courage and tools to limit bad behavior in society. Fewer and fewer kids have parents who can teach their children that lesson in a constructive manner.
There are lots of similar filtering tools listed (such as IPCop and Smoothwall) as well as other parental controls (such as the usage monitor Timekpr), as well as system-wide usage monitors (OpenKiosk, for example) at
Kubuntu Guide (http://kubuntuguide.org)
and
Ubuntu Guide (http://ubuntuguide.org)
I think you’re oversimplifying just a little here, and you’re throwing a lot of different things into the same pot. Also, this sounds a lot like the rambling you typically get from “family-value” Americans which believe that watching people get brutally slaughtered on TV doesn’t harm your kid, while hearing the word “f–k” does. Or that not talking to their kids about sex and telling them that god wants them to marry before having sex prevents them from actually becoming pregnant. Strange thing then that Americans have this problem with teenage moms, while those “anarchist” Europeans don’t.
The rest of your post is very insightful, but please don’t just blurt out stereotypes as if they were a universally accepted truth.
Oh, and excellent article, BTW! 🙂
I might be missing something, but what’s stopping your kid from simply unplugging the network cable from the proxy and plugging it directly into the router/ADSL modem? Unless you keep all your network hardware under lock and key this could be trivially circumvented by some re-wiring.
The last sentence FTA:
Put all the hardware neatly in a secured place and prevent physical access.
Thanks, missed that one.