How to block porn websites?

Hopefully this is not supposed to be a child protection.

This option of blocking website is useless. When I’ve been a child in the early years of the internet my parents had an paid ISP DNS option to do the same → useless: configured my PC to use a different DNS.

True, they are accessible with a VPN as well.

SafeSearch prevents you from searching for porn sites with Google, but it doesn’t prevent you from accessing them.
If you know the address (e.g., https://www.youporn.com), there’s nothing to prevent you from accessing it.

As above one step often missed is you must block http and https in your firewall.
So they can not bypass your proxy.
One option is to change your firewall default out going behavior to blocked.
Then the only way out is your Proxy.
There should be a big note about this on the wiki.. but there is not.

Always a good read

Right. There are always at least two things to confige:

1. Change the default firewall behaviour to “blocked” and work with whitelists. So you can also control game time of your kids because all that game launchers need specific ports to be opened to work online.

NTP, DNS. HTTP and HTTPS can all be used via IPFire, so you don’t need to open that ports. If you’re using Mailclients you will need to open SMTP, IMAP etc. It will always be the same depending on what software/services you want to use.

2. Do not work with transparent proxy/without proxy. You can configure any of your clients to use the IPFire proxy via WPAD. Even if you do so with mobile devices, if there is no WPAD because you are at another locations, it won’t/can’t use a proxy because of the missing configuration file and still be able to get online.

While using the proxy you are always save that your manual backlists or supplied blacklists are applied.

You may still need to use a transparent proxy, just as me for a guest network and using captive portal, but make sure to use a different subnet for that clients. disallow communication of this subnet to other subnets exept IPFire and block any known clients to use this subnet. Otherwise your kids may use the guest wlan subnet by manual configuration with the transparent proxy to get everywhere.

Kids ain’t stupid and search for solutions to bypass the filters etc. You may even block all MAC adresses to use that guest subnet exept the known MAC adresses used for guests because they may use fake MAC adresses (MAC spoofing) to bypass the blocking of known clients by there MAC address.

I feel that if your children are smart enough to find ways to bypass your proxy.
It is time to have a grown up conversation with your child.
You can not automate raising your children.

They do the same as I did. Must be genetically determined. They used MAC spoofing and I had to write a function connected to the captive portal with generating firewall rules to stop that.

They have been quite pissed about that

I completely agree with the purpose of this post.
But using URLFilter isn’t just for children to use for porn sites; it protects us from many other malicious sites.

Yes, if you know the right filter lists. First you need to know what you want to filter. That sounds easy, but it isn’t.

Most phone etc. use random mac addresses when connecting to a new network.
That is problematic for filtering.
As is DNS or HTTPS.
I quess this is all a sideways push back.
To try to regain personal privacy.
If tech companies, bad actors where not taking advantage of this huge info grab.
We would still be using HTTP. and no one would use Whats APP or SIgnal.

it’s not. They keep the MAC address for the known WLAN profile (SSID).

Maybe really old devices/OS don’t remeber the MAC address, but modern do.

I think nowdays kids are indeed more clever with AI!

I think a good solution for filtering is to run your own recursive DNS server.

We’ll be independent of the local DNS provider and have the ability to control all queries, including adult websites. Communities create pre-made lists with such FQDNs.

We can address the issue of bypassing this DNS with rules on IPFire.

Do you have an example of a tested implementation for this thought?

Depending on the number of hosts you support, you first need to choose the appropriate hardware.

Open source solutions with unbound implementations. Read the reviews and choose what you want.

Hi there,

since i try to find an easy solution to this problem too (there isn’t) i want to ask an additional question if i block all internet and have a proxy will doing managing bank accounts over a client pc connected to the ip-fire still work?
Since I am not considering child protection but “just” blocking this.

Thanks

Any firewall can define any rules. First, you must define a security policy and then implement it.

When I was blocking porn sites when my child was a teen, I used a paid DNS service called cleanbrowsing.org. It was about $5 per month. I used their DNS servers in IPFire then force IPFire to be the only DNS provider on our home network. It worked well. The main caveat is with mobile devices where wifi can be turned off to use the cellular network. IPFire cannot account for that.

You can run a permanent VPN on your mobile phone to your firewall system and control all internet communication from that phone.
For example, you can permanently run wireguard from your child’s smartphone to your IPFire and monitor all traffic.