Slashdot Mirror

One possibility is http://dansguardian.org/

It is filtering based and there are community maintained blacklists and whitelists for it for different audiences.

Good luck and as much involvement as you can have in their internet use to teach sensible web use will be beneficial as well.

http://dansguardian.org/

I dunno, I'm the father of an eight month old, work in computer security field professionally. When it comes to computer security, My rule-of-thumb is: It's not whether your paranoid or not, it whether you're paranoid enough. That being said, When my son is of an appropriate age to start being exposed to the inter-tubes, I'm either going to setup http://www.pfsense.org/ and/or http://dansguardian.org/ . When he gets to the age where he can start circumventing that stuff, I'm going to pat him on the head and say "Use your new-found powers for good."

DansGuardian with a proxy like squid should give you a basic websense-alike system - but even with all ports closed at the firewall except 80 and 443, bittorrent will likely still get through.

If you're truly worried about litigation, it seems like you could find a little money to deal with the issue. Take a look at Palo Alto Networks firewalls, especially the up and coming low-end model the PA-200.

It looks like they're only considering options that install into a browsing computer. That leaves some highly-rated solutions like Dan's Guardian off the list.

Whether you keep him using Windows or load up a flavor of Linux I'd put a good hosts file on there to block adware and other known sources of crapware. Beyond that, you could setup something like Dans Guardian or set the machine to use filtered DNS services, such as OpenDNS. If you are gonna keep Windows on there then there are tons of commercial filtering products out there, all the stuff I mentioned is free.

The highlights

DansGuardian http://dansguardian.org/ web filtering not something I'm bothered with for myself but anyone with kids should be concerned with what their children see.

Its built into ubuntu christian edition along with bible study software and other religious junk but obviously would work for any ubuntu edition.

http://ubuntusatanic.org/screenshots.php ubuntu satanic edition has some really nice art work not mentioned in the article but in the comments also there is sabily A muslim edition of ubuntu. Other religions are available even one designed to run Amiga software on, http://www.xamiga.net/

musix is a fully open source multimedia debian based distro
caine is for digital forensics

DVL might be interesting if you have an interest in security

>>I agree but one should still be able to review logs of places the kids (or their friends) have been. I'm their parent, not just their friend.

>So I'm assuming you're one of the power obsessed parents who uses Verizon's "family stalker" app to make sure you know when your kid is peeing and if they stopped to get ice cream or not?

No, I don't think I was a Nazi for wanting to review what sites my then eleven-year-old daughter visited on the Internet over her unfiltered connection from a computer in her bedroom.

You know what the first thing I learned by this practice? That a whole lot of people wanted to sell things to my daughter over this shiny new Internet thingy. And they were capable of doing it with unblockable pop-ups of cute animated kittens. They also wanted to infiltrate my daughter's computer with all sorts of software so they could pop up little reminders with cute animated kittens or track her browsing patterns whenever they needed to. In the end their little plans came to a halt in this household because I'm a geeky parent who uses Linux and knew how to set up a transparent web proxy. Some of these early attempts at surveillance by marketers were poorly written and caused problems with her (then XP) computer. When this happened I was able to consult the logs, see where this crap came from, and block it. Reviewing these logs really helped me understand how to begin dealing with the enormous amount of exploitative junk on the Internet that's targeted at our children.

You'll notice none of my concerns have to do with porn or predation or any of the usual subjects that come up whenever we discuss parental filtering on Slashdot. I had no qualms trusting my daughter to make the right choices for herself on the Internet because I had trusted her to do many other responsible things in her young life. I had no choice in this matter; I was a single father with a young child. That didn't mean I was going to abandon all parental responsibility for her use of the Internet. I logged her traffic for a while, reviewed the logs a few times over the first year or so, then stopped logging. She knew I was logging and knew I could block her access if I wished. She watched me review the log to help diagnose what was wrong with her computer and was happy I could use it to block some of the places that were giving her trouble.

I'm as disgusted as you are by the exploitation of fear represented by products like "family tracking" services. Unfortunately, in the current climate, fear sells. I gave my daughter a cell phone when she entered middle school to help her become more liberated not to be tracked like a lab rat. But I chose to buy her a prepaid phone from Virgin so I could control how much time she spent on the phone. Like my decision to allow unrestricted, but monitored, access to the Internet, I tried to find the right solution that maximized her freedom while not abandoning my responsibilities as her parent to help her make the right decisions.

That's called being a parent, not a storm trooper. "Trust, but verify" as Ronnie said.

As to the OP, I think you're creating a monster for yourself to manage. Parenting is hard, but you've got a lot more experience managing your kids than you have managing a complex network configuration. From what you wrote, I'd suggest the following:

1) See if you can control time-of-day access using the administrative interface of your router. That's probably the easiest method to solve that problem. My Linksys router includes this feature.

2) Take a look at Dan's Guardian as a filtering mechanism if you must have one. It'll run fine on that ten-year-old computer the kids are using now.

3) Use Firefox with AdBlock Plus and perhaps Flashblock as well.

4) Use Linux on the client computers. Yes, yes, I know, gaming, blah, blah, blah. You'll save yourselves a lot of hassle if you don't run Windows, and your kids will get acc

No need for software just use either http://www.opendns.com/

Or if you want more control, setup a PC as a gateway with:

http://dansguardian.org/

It requires some knowledge of Unix type operating systems and proxies.

It can run on Linux, FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris, (officially there are probably contributed builds for other operating systems.

Then again there's always education and supervision. You can't fix human & sociological problems with technological tools, it's like trying to fix a broken sink pipe with a car jack and a rubber mallet.

Following up on my own post, yes it is DansGuardian that can be configured to block Google searches if Google SafeSearch is turned off. So maybe Microsoft's filter is taking a similar approach? The obvious thing to try is to turn off the MS filter, check your Google preferences and make sure SafeSearch is enabled, then turn the filter back on and see if the problem persists.

Good Bloody Cripes!!

Can't ANYONE here answer the single question posed?

http://dansguardian.org/

Give it a shot.

DansGuardian

Either put it on their desktop or install on a server if they use OSX/Microsoft windows.

This should have been the first post , as it's the best way to protect - well you have to run your own server gateway.

I use DansGuardian. Easy to configure and works fine (I use it conjunction with squidproxy, both running on the firewall between the DMZ and inside the house).

Occasionally I'll go in and configure it to block Flash (except for certain sites, like the kids' schools) to discourage playing flash games when they should be doing homework. If one really wanted, one could configure a cron script to modify the configs at different times of the day (I don't think dansguardian config files are smart enough to do that themselves), but I haven't bothered.

Since only the kids' computers go through DG, (that's in the firewall config) if I want to cut them off from the internet in a hurry I can just kill that, leaving the rest of the computers on the net.

I don't know about other filters -- I tried DG first and it was Good Enough -- but if they do try to hit a blocked site it will pop up a page (configurable) telling them to ask Daddy if it's something they really need access to.

DansGuardian

Either put it on their desktop or install on a server if they use OSX/Microsoft windows.

I'm glad you posted this. I was wondering the same thing. I know there is http://dansguardian.org/ but I haven't talked to anyone who uses it. I know OSX has great built in security features, but XP leaves you out there on your own to buy something.

I'd also suggest putting a computer as your gateway with Dan's Guardian on it. It's certainly not perfect, but it's the best filter I've ever seen, and allows for different filtering levels through user names. It runs on a linux box, so you can combine it with iptables to disallow a lot of other things like p2p as well. I'd highly recommend it as a good tool to make sure that your internet connection gets used on your terms whether you've got kids or not.

Setup a transparent proxy and use dansguardian. I've set this up and had it running for several months. It *easily* supports whitelited/blacklisted sites, domains (using regular expressions even), and mime types. It can also block objectionable content based on keyword groups and ratings etc. Very good indeed.

I was in Burma two years ago, and know for a fact that they use Dansguardian, a GPL licenced product. I was surfing the web at one of their internet cafes, and kept coming up with the 'site blocked' message with the Dansguardian name all over it. So, even if companies were banned from dealing with Burma, nothing can stop the junta from downloading and installing open source solutions, or even pirated copies. Killing monks doesn't bother them, why should a bit of 'stolen' software?
Interestingly, in some tourist areas, many internet cafes openly advertised that they had hotmail and other popular email sites (all banned by the govenment), which they were able to get to by using proxies. Like I said, that was 2 years ago, and I'm sure those same cafe owners aren't being so open now about the ways that they can get around government consorship.

If they do feel that they need access to the Internet and are so concerned about porn perhaps they should use a web content filter such as DansGuardian. In addition to doing that, perhaps blocking some advertising related URLs with Mike's Ad Blocking Hosts file might also be helpful. Of course using a software or hardware based firewall and up to date anti-virus software, anti-spyware software, and the latest security patches would also be good. I am not a computer professional or network administrator but those seem like reasonable precautions to me for a school network.

I work in a UK school doing IT support so I have a front line view of what happens.

At a county level we have a fitler that works on basic URL blocking. It's called 'SmartFilter' and it's definately not very 'Smart'. Pupils can easily evade this filter by using CGI:Proxy, PHPProxy, Google Translate or Google Cache for example. Basically as long as the url doesn't match something in it's blacklist, it gets through.

Therefore, at a school level I have implmented a Linux/Squid based proxy with a content filter called DansGuardian. It's a lot more intelligent about filtering and works along the same lines as antispam filters. As well as domain/url blocking it allows grey listing based on the content of the web pages being pulled through it. You assign words or phrases a numerical value and if the page hits a certain score then it's blocked. As the filter is no longer simply relying on the domains/urls this solves the proxy problem.

Yes, some stuff will always get through, I think the above solution is about as good as it gets currently.

• ...is a great abstraction layer for iptables, so writing your firewall policies and rules is more like writing them in English* than straight iptables (although you'll still want to understand iptables enough to debug problems);
• ...uses a modular config, including "macros" for commonly-used rulesets;
• ...allows you to set arbitrary variables, like $WEBSERVER or $ALL_PRIVATE_NETWORKS, which make your rules all the more natural-language-like;
• ...gives you an elegant "did I just compose a firewall that's going to lock me out of the box?" sanity check ('shorewall safe-start' or 'shorewall safe-restart');
• ...offers excellent advanced features like multi-ISP use and integration of bandwidth shaping (using 'tc') in a satisfyingly-straightforward way;
• ...and manages to put firewall admins "on rails" without sacrificing advanced capabilities (see above).

* I have no experience with its internationalization.

No, I'm not on the Shorewall devel team. ;-)

It's just a set of scripts, so it should run on any system that offers iptables and an sh-compatible shell. There are prebuilt packages ("noarch" RPMs, for instance) maintained for most major distros.

Coupled with Webmin (for which there is a Shorewall module available) and add-ons like OpenVPN, Squid, and DansGuardian, this makes for a pretty capable "edge box" that even "non-Unixy types" can manage, provided they understand the OS-independent aspects of firewall management...

(No, I'm not on any of those devel teams, either.)

SmoothWall Firewall
DansGuardian Content Filter
Domain Block of Ad-Servers.


Nope...I won't notice at all.

You don't say where the Kubuntu box is located in your network. If you have a Linux box running as a firewall, I'd suggest looking at Dan's Guardian, a content filter than runs on top of Squid. You can configure iptables to push all outbound web traffic through Squid/DG so you can't avoid the proxy by changing the browser's settings. For more fine-grained control, you could write rules push traffic from some internal IPs through the proxy but let pass unfiltered traffic from other IPs like you own.

The proper URL is dansguardian.org I do apologize.

I moved to Linux in 1994 as my primary desktop and server OS. About three years ago I decided that I wanted to produce some video content. Video editing was theoretically possible in Linux - I hooked up my camcorder to my Linux box and did some editing, but the tools were primitive and cofiguration was unusually difficult.

Eventually I looked at OS X and iLife. I decided to jump to a Mac. What a great move!

I found that Linux made it possible to do some things, but OS X made it simple to do them.

Fast forward a few years. I now have a few macs at home - their licensing policy makes it affordable to have several machines and a five user license for the OS and tools. My family loves the power and usability of the Mac.

Recently my linux server at home began acting a bit flaky. I did some analysis and determined that hardware replacement was needed. After checking prices for CPU/motherboard/RAM (and potentially hard disk) I figured out that I'd need a few hundred bucks to replace the CentOS box with a new one. After thinking about whether to drop a few hundred bucks or not on this server, it occurred to me that I might be able to move all of the services hosted on linux to OS X.

I found that samba,
  hotwayd,
  dansguardian,
  uw-imapd,
  fetchmail,
  procmail,
  spamassassin,
    rsync,
  rsnapshot,
  apache2,
  MySQL4,
  PHP,
  perl,
  java, and
  squid were all available for OS X.

Most of these are "in the box" with OS X. The only ones that I need to compile from source are uw-imapd and squid! Of course I need the bundled developer tools to get a compiler, and the Apple/BSD startup mechanism and the netinfo wierdness require some tweaks - but since when did Linux *not* require any tweaking?

What this means to me is that after more than a decade of running Linux at home (and work) I am *this* close to shutting down Linux for good at home.

Hope your experience is similar.

Regards,
Anomaly

PS - I share your recent comments about the loss of a pet. :(

When I was going through High School and Junior High we took the If you didn't need to see it or use it you couldn't approach. Internet acess was limited by http://dansguardian.org/ with a proxy at the Junior High lvl that only the teachers had the password for. This education system was parinoid about passwords too. I remeber finding a password only to have it change by the end of the month. We used limited account acess that only granted acess to the programs that were needed. All labs had similar hardware so we made one static disk image with Norton Ghost for each lab. Should a teacher ever feel a computer was some how comprimised they just inserted the CD and bingo clean working useable system again in about 15mins or so. The internet filter is going to be the best bet though. Get that clampped down block all ports but http/https for students. When there find out there games and music software don't work they will stop trying for the most part. Don't be afraid to make examples of students that are trouble makers they know the teachers they can walk over and practice there malicious hacking on. YMMV per district, but last I checked computer time is still a privliged class there is always the typerwriters for typing skills classes.

I recommend the dansguardian content filter. It's highly tunable, so as time passes you can relax the rules as you see fit.

The way my house is set up, the router blocks all internet access except for my main Linux server, which runs an http proxy through dansguardian. So the only way to use the other computers in the house is via that proxy.

It's not like my daughter is out to find nasty stuff (she's only 10); it's just that there is so much scummyness out there that one simple typo or misclick can lead to pretty unsavoury things. In short, it's a safety net.

http://dansguardian.org/

After looking at a number of options, I ended up using Dansguardian site filtering combined with Squid. The cost of software licensing or subscriptions was zero - making it MUCH easier to get approval for.

Note that DansGuardian is GPL but claims to be proprietary. From its copyright page:

DansGuardian 2 is:

• not free for commercial use
• licensed under the GPL

In other words, if you truly believe those mutually exclusive claims, you have to install it at home for your own personal use, then redistribute that copy to your office (as is your right under the GPL). Either that, or you could buy a "download license", which is right up there with SCO's "Linux License" for sheer return on investment.

Install DansGuardian into your Squid proxy (what do you mean you don't use Squid..?)

Add to /etc/dansguardian/bannedphraselist:

' MySpace.com. All Rights Reserved.' (changing the ' for angle brackets)

Dan's guardian works great for the K-12 and churches I manage networks for... http://dansguardian.org/

Well, I had several parties contact me for availability and pricing, because they WANTED to censor their users' browsing. I was so naive.

Apparently, still are. Why didn't you take your "stupid idea" and implement it? Compare your idea with "Dan's Guardian and tell me how your product is in any way, effectively different.

In various contexts, products like Dan's Guardian are required by law. You could've made it big. Instead, you made some angry posts after the fact, it seems.

Th American way starts with the realizatino of a need for a better mousetrap. If you weren't so naive, you'd have done something profitable with your knowledge!

7. Parental filtering options -- Okay, I'm not aware of anyone else that bundles this in, so this may be new.

apt-get install dansguardian.

Though, parental controls are nothing new. MSIE has supported PICS since stone age. The funny thing is, I don't know how to get Mozilla browsers to react on PICS labels, but luckily, no one asks.

I didn't see anything positive about myspace and lots of negatives. I run my own DNS server at home so simply adding an entry for myspace.com quickly fixed the problem.

She was pretty upset when myspace didn't work anymore but has only complained once or twice. Her grades have jumped back from Ds and Fs to As and Bs and her attitude is much better now.

BTW, I installed Dan's Guardian before I shut off myspace completely and it blocked probably half of the pages she tried to go to on myspace due to offensive language. I'm not talking about your standard teenager swearing, I mean pretty raunchy stuff.

Just out of curiosity, does Edubuntu have any sort of application to limit what kids can find on the Internet?

One that I found after a google search was http://dansguardian.org/?page=whatisdg

I know the Slashdot crowd is generally against censorship, but would a children's Linux distribution be appropriate to have censorship as default.

Using DansGuardian with Squid is not a difficult to set up. The default blocks are quite comprehensive, and completely customizable. There are even gateway/firewall distros like Smoothwall and IPCop that have drop-in support for DansGuardian.

Now, if more people would just learn the need for a real firewall, and how to configure the darn thing...

IPCop combined with some modest hardware should take care of business. The DansGuardian add-on, Cop+ should handle your filtering needs as well...

Are you kidding? There are several options. The one I decided on is DansGuardian. I use it for my whole home network. One of the reasons I chose it is because it comes with a rich set of family-friendly content filters. But it can be configured to block only ads if you want--it's very flexible.

Why do the remaining 20 million stay?

Because it is easy.

I used to scoff at AOL users like everyone else here on /. but I've found one thing:

AOL keeps people from calling me.

I'm sure everyone knows what it is like to become the local "support geek". I used to get teased for being a geek and now people can't stop calling me. But I have found that AOL users call me less. So I encourage AOL usage - especially for people with children.

Certainly it isn't perfect, but it does say a lot when someone gets broadband and then ditches AOL only to renew their subscription because of how easy it is. I see this a *lot*.

As a side note, AOL would be wiped out if someone came up with a broadband modem that implemented a really good content filtering. Something like Dan's Guardian in a small, user friendly box that had easy bypass controls for adults. I do realize that most off-the-shelf routers will do primitive keywork content filtering but this could be improved upon.

Maybe AOL should get into the router/firewall business? To date, nobody has made this technology easy for Joe and Jane Six Pack to use.

http://dansguardian.org/

Dansguardian - This is a particularly wacky one. If one downloads the source code, isn't he then able to use it however he wants? Or distribute it?

CMSimple

An interesting consequence of the GPL is that even though software is sold under the GPL, it may then be redistributed (in binary and source) by anyone. A discussion and demonstration of this can be found here.

I run 11 computer labs of various sizes at recreation centers in Oakland. As we have no money, however, all of the computers in our labs are refurbished Windows 98 boxes. We use Deep Freeze to protect our computers from the students; it functions in a very similar manner to DriveShield, and it has cut the maintenance time for our machines by 90%.

We also use Linux boxes running DansGuardian as content-filtering routers. I cannot emphasize enough what a great boon this is to anyone trying to administer Internet-ready computer labs for kids.

I BOUGHT a copy of RH 9 so I could run my filtering proxy server on it Dan's Guardian.

Since RH is EOLing RH9, (and their enterprise stuff is EXPENSIVE), I decided to go with Fedora Linux. Dan's Guardian installs and runs great with minimal fuss.

Good job redhat! I was a paying customer...I guess i'm not any longer. I wonder how many others they lost?

-ted

After getting our email protected with Postfix+Amavisd-new+Clamav+SpamAssassin+F-prot I asked myself: is it possible to get same quality protection for the web-surfing?

And the answer is Yes! It is possible. Now I am using Squid along with Dansguardian and Squidguard. Working together they are catching 99% of all adware/spyware malicious scriptlets. Also they remove annoying banners and give us the required level of the parent control.

Dansguardian integrates with PICS, Platform for Internet Content Selection, which was originally designed to help parents and teachers control what children access on the Internet, but it also facilitates other uses for labels, including code signing and privacy. The PICS platform is one on which other rating services and filtering software have been built.

Unfortunately Squidguard is getting out of its suppot by its original developers. It's getting more and more false-negatives (up-to 30% was complained on getntoo forums), but it's still better to have it.

Now I am bringing same protection to the company network at work and they are happy of that.

My point is to protect your network rather than individual computers. Windows based PC are unsecure per se. Besides it is a hassle to go to each PC and install different types of filtering software (especially when you have to support 3 or more different client OSes, like win98, win2k and MacOS).

I would recommend that you set clear rules with clear consequences if the rules are broken.

After that, I would recommend that all of your children access the internet via a single point. Setup a small home network if you do not already have one and then use a proxy server with a filter.

I run the internet filter at my work and we use Squid and Dansguardian. Dansguardian rules as a filter since it does true content filter. This will also help you out by logging every site with the user, ip accessed from.

Most of all, be fair, upfront, and consistent in your enforcement of the rules.

So this patent is a very bad thing.

Wake up!

That's why the smart ones don't use Net Nanny, but something better.

I also use it for all my web browsing, email, and so on. I use it commercially and as a hobby.

Guys, in these pages I've many times read about the benefits of Spam Assassin to get rid of SPAM.

I can vouch for it working, getting rid of some 99% of the SPAM I *used* to get.

How is this any different? I understand that using S/A still means I get one or two SPAMs per day, and I know that I shouldn't "delete" them, but set them aside and check periodically in case something legit got filtered.

It's give and take, guys. Rules based web filtering works rather well. I've been using Dan's Guardian (free for noncommercial use!) and after a bit o' tweaking, it's working rather well for me.

I know, I can't look up "tits" in an online thesaurus, but it's rules+scoring method, similar to Spam Assassin, does give me > 99% just fine.

-Ben

With web filtering being mandatory in most schools, a lot of them are paying HUGE amounts on licensing filtering software. Filtering software costs $thousands per year. However there is an open source alternative:

http://dansguardian.org