Parental control / content filtering / not dns-based

Hello,

I'm a new OpenWrt user with a Netgear R7800 and the latest stable release (OpenWrt 18.06.4 r7808-ef686b7292). I want to implement parental control so that my kids are shielded from adult content.
I have followed the parental control page linked at https://openwrt.org/docs/guide-user/start.
It properly emphasizes about DNS-based blocks (bold added by me)

These can be foiled quite easily by using another internet site to lookup the IP address for the site and bypassing DNS altogether. The adblock package seems to do this. The most reliable mechanism to block access to a public site is fw3 rule to block a site.

While I like to have a DNS based solution like OpenDNS as an extra layer, I also want something that can't be bypassed in 10 seconds by browsing a dnslookup site and entering an ip adress in the browser. And I don't see how, in practice, I could get somewhat comprehensive blocklists by creating manually f3 rules, as suggested in the "Parental Control" page of the user manual.

How can I easily setup "real" content filtering for adult sites? (The banner in the forum constantly nags me with the "easily-configured" feature of OpenWrt)

Adblock seems popular but Adblock is also dns based. And it seems to target ads and all sort of annoyances, but not adult content.

Squid/Squidguard seems interesting but Squidguard is real old and Squid pretty complex (Squid doesn't appear in the System/Software list of Luci. The length of https://openwrt.org/docs/guide-user/services/proxy/proxy.squid is impressive. Squid requires special maintenance when sysupgrading https://openwrt.org/docs/guide-user/services/proxy/proxy.squid#maintenance. And I'm not even sure this covers Squidguard, or downloading the required lists like http://www.shallalist.de/ ) DansGuardian also seems interesting but really dated.

Thank you for your time

If you're not set on OpenWrt, Gargoyle has a web filtering kernel module that can block keywords in the url (domain only, not path)

Thank you for the tip.
As far as I understand, this relies on the user identifying each and every keyword. I 'm afraid I have zero interest in entering or maintaining a keyword list. I can't really see the benefit versus OpenDNS either as I expect that the Gargoyle feature will also be irrelevant if the IP adress of the adult site is entered in the browser.
BTW, for information, AsusWRT and MerlinWRT simply required me to click adult, or streaming etc, among a few categories, and I was good to go, blocking both domain names and IP adresses.
BTW: Is the R7800 supported by Gargoyle ? The download page makes me think it's not.

Yes that is correct.
I suppose you would also need a list of adult IP addresses so you can create an ipset filter.

R7800 is supported in the latest betas

Protecting young children from accidentally stumbling across "OMG what are they doing?!?!?" is a more tractable problem than determined exploration. Once a child masters rooting their tablet, DNS lookup and DOH, can a free ProtonVPN account be far behind?

You can easily modify adblock for parental control, by using other blocklists. However, your detailed,valid critics will still apply. Quite often it is easy, to reach 90% perfection. The final 10% are the real culprit.
However, depending upon the level of perfection, you want to achieve, other tools need to be applied as well. You correctly mentioned squid; somebody else mentioned ipset.
Assembling these tools for your purpose is a lot of work, more suitable for a commercial project. I did various clones of openDNS, for commercial hotspot systems, to filter adult content, because openDNS otherwise requires payed-for licenses. In case, you are interested in coop for a commercial project, to implement parental control, pls send me a PM.

1 Like

What about banip?
It's based on ipset which ultimately is the Linux netfilter which ultimately is the firewall...
It won't block DNS (sites will be resolved) but it will block an arbitrary set (or ranges) of IPs.
A LuCI app is available from the creator of Adblock working almost the same but with a different backend.

Let sum up your wishes:

and

and

That is the problem, content filtering isn't a simple task. There isn't the simple and perfect solution. You also should remember, that OpenWrt is a operating system for routers and content filtering should be done by a real proxy server (Squid on a x86-system)

Thank you reinerotto and eginnc for your input.
It all needs to be put into perspective and accepting imperfection indeed.
If kids just need an IP address that they can exchange at school, my personal assessment is that the level of protection is closer to 25% or 50% than 90% :grimacing:. It is nothing as sophisticated as tablet rooting, or setting up a vpn account etc.
Regards

Thank you for clarifying that

content filtering should be done by a real proxy server (Squid on a x86-system)

It saved me the hassle of trying to have it on my Netgear R7800.

The imperfect solution that is closer to my expectations is Asuswrt or Merlin. It can't be circumvented by using the IP address, and it automatically manages blacklists.

Interesting. So
https://ip.of.porno.com
is blocked ? Whats displayed in Chrome, when trying this ?

Hello,
About banip, at https://forum.openwrt.org/t/banip-support-thread/16985/68, its creator wrote

The main purpose of the latter one is blocking of incoming ip addresses or subnets.

As far as I can remember, the "banIP lists" are not focused on parental control / adult sites.

Whats displayed in Chrome, when trying this ?

That's a, well, interesting question. Note that I didn't test with Chrome. I'm using either Firefox, either Brave (with the Chrome engine).
Connected through the Asus router with AsusWrt, with AiProtection and adult filter ON, I get to see either a page with the Asus "look and feel" and referencing Trend Micro that tells me it's blocked (good), either an error code (Error code: SSL_ERROR_RX_RECORD_TOO_LONG). The error code is probably related to the fact that firefox starts asking to define an exception due to HTTPS and, probably, something funky due to the fact that the page ends up being blocked by Asus.

Connected with the R7800 with OpenWrt, I get to see an OpenDns page if I reference the name you mentioned (good). If I use the IP for that name (66.254 etc), I get too see a lot of "stuff" which is not useful to describe... The kind I want to block. (Full disclosure: when I tested with the IP after testing with the name in Firefox, I also got the OpenDns page (probably due to some caching). When I tested with the IP adress in Brave, I got the full content, no blocking.)

What if you use adblock, forward DNS to the internal resolver and use banIP to block any DoT/DoH and hijack any DoT using ISC bind?
Anyway if you block adult web sites by IP it would be so easy to use Tor/VPN/Tunnels to bypass the firewall. banIP allows blocking Tor nodes, and you can block port 22. It won't stop smart peope by the way.

If your plan is to avoid that traffic from outgoing the network, adblock+banip should be enoug. People using Tor/VPN/Tunnels will generate the traffic from it's exit node, not from yours. If you want to block people inside your network using the sites even if they don't belong to your network: harder. Deep inspection can hijack any of these but people can just turn on it's cellular data. That would be an useless efort if that's your point.

Most secure solution? A whiltelist: blacklist all traffic except from known IPs. Most easy solution? Buy a Cisco firewall with deep package inspection (and build a Faraday's cage so poeple can't watch porn using the mobile data).

I am developing a project for this, ping me if you're interested

1 Like

I strongly suspect, Trend Micro (silently) installed a special cert on your client device. Because any intercept of https without special cert on the client will produce strange displays within browser (SSL_ERROR....), or a security warning (firefox), at least, depending upon type of browser. By using Trend on your client, your client browser/PC might already interfere itself regarding blocking. This is something, the openwrt-device can not do.

Connected with the R7800 with OpenWrt, I get to see an OpenDns page if I reference the name you mentioned (good).<
Strange, that you get a good web-page here, too. Either openDNS uses some type of special root cert, or Trend was at work, again. Because my comments from above apply here, too. Again, https is the issue, designed to prevent such MITM interference, unless a valid cert is used.
This is a good reading:
https://support.opendns.com/hc/en-us/articles/227988767

if you know a good IP-based blocklist, it shouldn't be a problem to add it to banIP

My testing and my report were not professional or scientific. I didn't have a test scenario either, I didn't make efforts to flush caches (I don't really know what layer caches what, and how to get rid of them), reset Firefox etc.
I see no sign of Trend Micro silently installing anything on any client device. Certainly not on my Ubuntu 18.04, or my Android 9. If you read my report right after the part you quoted, I did mention

either an error code (Error code: SSL_ERROR_RX_RECORD_TOO_LONG)

The page that reports the "block" comes from my router. When administering the router with Luci in https, Firefox also complains and allows me to create a security exception. I guess that security exception allowed the Asus router with Asuswrt to show me the explanation for the blocked page, in the context of accessing the adult site.

This is indeed the core of the topic. Having a good list and having an automated mechanism to update it regularly. In one way or another, the AiPotection of Asuswrt implements this, through a few clicks in the admin interface.

Rather simple, in principle: Do a batch reverse DNS of shallalist etc.
However, there is one serious culprit: This might result in quite a lot of false positives (blockages), as many sites are co-hosted (shared hosting) under the same IP.
Which means, innocent.com will be blocked, too, in case it is co-hosted under same IP as porno.com .
Last not least, usage of CDNs also prohibits IP-based blocklists as universal, best tool.
All these complications are a result of goggles fear of ad-blockers, which have to use same tricks.

1 Like