Locking down home internet for kids

[Pantlegz]

So my teenage sister decided to show my pre-teen daughter about some internet chat rooms that she shouldn't be in. I talked to her and explained the dangers of talking to strangers on the internet and I'm pretty sure I scared the shit out of her but to help me sleep more sound at night I've decided I need to keep an eye on what the kids are doing online and filter out as much as humanly possible. I was looking into a Watchguard firewall, probably a T10, it's a bit pricy for a home setup especially if you want their UTM bundle which I would in this case. I'm an IT consultant so setting it up would be fairly simple but I figured I'd see if there were better, less expensive, options available. For the time being I have OpenDNS setup on the router which I'm confident will work for a while but I figure it's only a matter of time before they're smart enough to get around that single line of defense and my wireless router doesn't do much as far as traffic monitoring goes so if they do end up bypassing it the only way I would know would be the fact that their devices stop showing up on the OpenDNS dashboard. Maybe I'm being paranoid and OpenDNS is plenty for my situation but I'm curious as to what are you guys using to lock down your home network for children?

 

[mxnerd]

Free.

http://www1.k9webprotection.com/

 

[dave_the_nerd]

...I figure it's only a matter of time before they're smart enough to get around that single line of defense and my wireless router doesn't do much as far as traffic monitoring goes so if they do end up bypassing it the only way I would know would be the fact that their devices stop showing up on the OpenDNS dashboard.

Start with not giving local admin privileges to anybody under the age of 18, so they can't change DNS settings or otherwise disable/circumvent stuff.

 

[Pantlegz]

Sorry, I should have been more clear. I'm looking at this similar to a BYOD environment, they've got tablets that are pretty locked down (they don't have the play store password so they can't install anything) and a PS3 in the room mostly for netflix/Blu Rays that doesn't get a whole lot of use but my concern is friends/family that come over with devices that end up in the kids room and on the wifi. They also have phones( without cell data)/tablets/whatever they might bring from their mom's house in a bag/backpack that I'm not aware or able to administer as closely as I would like. I also can't prevent them from changing DNS servers on most of these devices to the extent of my knowledge - which is where the perimeter defense was coming into mind, if the single point of exit is device x, and I'm able to restrict traffic from said device, perfect. I'm fairly sure OpenDNS will meet my needs until they get a bit more devious, 9 and 10 year olds are still pretty dependant on me for technology but that will change sooner than later unfortunately. I was just curious of what other parents may be doing to restrict free internet reign for their children.

 

[Pantlegz]

Free.

http://www1.k9webprotection.com/

This sort of ties in with my last post, but this appears to be an installed program which doesn't do me a lot of good in this particular situation. The feature set also looks very similar to OpenDNS, which is great, the fact that it needs to be installed on each device, not so great.

I should also note that I do have a virtual server environment that I use to toy around with various projects, I could easily spin up a VM that would run some sort of content filter, free or otherwise, that I could set as the default gateway on the network. Again, if I can control/filter their only source of data my needs should be met.

 

[MustISO]

Maybe something like:
https://www.pfsense.org/

 

[Pantlegz]

pfsense is more of a layer 3 firewall than a content filter. I've played with it in the past and while I could probably make it work that's far more effort and time that I really don't have to stay ahead of whatever may be changing on the Internet on a daily basis. I did dig through their features/faq and content filter doesn't even seem to be listed, unless I missed something. The reason I was leaning towards the T10 is because it only costs ~$600 for the device and 3 years of their UTM bundle which should handle most of my requests. I am slightly concerned that given the number of devices connected the T10 might not quite have the desired throughput.

Does anyone know of a solid open source layer 7 firewall? a quick Google gave me a decent list but most of the top hits seem to be a bit dated - the top hit being 5 years old. I'll do some digging there but if anyone has experience/suggestions on which might be a bit better I'd greatly appreciate it.

 

[mxnerd]

Played with Endian firewall community version before, it's content filter is a lot easier to configure.

http://www.endian.com/community/download/

 

[frowertr]

OpenDNS or Squid. An appliance would also work like like Sonicwall or Baracuda.

OpenDNS is probably the easiest and cheapest (free!). You can easily block all name server queries at your router EXCEPT the official OpenDNS name servers. So even if they change the DNS servers manually in the network control panel or on their devices, your router will block all other outgoing port 53 traffic.

 

[frowertr]

You could also setup Squid in addition to OpenDNS. You could then force all traffic through the proxy. It would take a bit more work to do that but there are plenty of tutorials on setting up a transparent proxy out there. The basics of it is to restrict all internet access to only the proxy. The proxy then becomes the default gateway for all machines on your network so it's impossible to bypass as the router will drop all outgoing traffic that doesn't originate from your proxy.

 

[Pantlegz]

The issue with forcing OpenDNS is I can't exclude local devices from the DNS filtering, which I would like to do. I share internet with a handful of adults that I don't want to limit their access and for now I've set their DNS to google. Obviously if I could exclude them from filtering all the better. I also don't like the very limited reporting of OpenDNS, I can't tell who attempted to access which blocked sites so it's hard to know who to talk to about it. Or if it's one person coming over and their device is always the one attempting to access the blocked sites I could talk to them/their parents about the situation rather than just knowing that whatever site was blocked a handful of times the other day.

This discussion led me to to ipfire, which looks promising, it does layer 7 traffic inspection and appears to have a good deal of content filter options. Once I spin it up I'll report back with how successful it is.

 

[frowertr]

Well you could create static ip addresses for the adult devices via MAC address through the router. Permit Google DNS servers for those static addresses only, permit OpenDNS for other dynamic addresses (i.e. Children's devices), deny everything else.

No idea about OpenDNS reporting though.

 

[sdifox]

Assuming you have vm host.
setup pfsense vm with squid3 and squidguard. Shallalist for whitelist. Turn on pfsense logging.
Setup proxy bypass ip range and reserve ip for macs that need bypass.
tell proxy to allow that ip range to bypass, rest of clients get proxeyed.
On another vm setup ELK stack and use that to analyse logs.

https://elijahpaul.co.uk/updated-monitoring-pfsense-logs-using-elk-elasticsearch-logstash-kibana-part-1/

 

[QuietDad]

Get a second router. Plug all the devices you need unlimited into the first one after the modem and the second router, off the first router, gets pointed at Opendns and restricted