Please, no debates about the merits of this -
I'm having trouble trying to find anything that might work.
DNS based: ========== OpenDNS
No worries about the kids setting their own DNS servers, I'll deal with that in the firewall :)
Proxy ===== eg Squidguard - It will not work with SSL traffic. Well, it might, but then all my browsers will throw up man-in-the-middle warnings. Seems like a non starter.
Bloody big blacklist of IPs =========================== Assuming I can load several million into iptables without blowing up the router (see below), this could work.
Any approaches I've missed? Does not need to be perfect - just good enough to mostly keep them off rotten.com, jihadist beheading vids and hard core p*rn. And if they hack their way around it, good for them - at least they are working for it - no illusions that they will be defeated for ever.
Cheers
Tim
Equipment I have:
Nice linux router running Debian 7 (this is are full blown nano system with lots of RAM, not embedded). It is my PPPoE endpoint, firewall, router, DNS, DHCP NAT and kerberos box.
So I'd like to put 2 of my VLANs onto a filtered feed whilst leaving the main VLANs unfiltered. My VLANs are like this:
1) Public IP /27 block 2) Private "Golden" 10.0.0.0/24 block 3) Media 10.0.1.0/24 block for Netflix etc - Chromecast, Roku and phones/pads will use this 4) Guest net 10.0.2.0/24Each maps to a separate WIFI ESSID.
1+2 unfiltered 3+4 filtered all the time.Only difference between 3 and 4 is 4 can get a new password every few weeks, without having to change Chromecast, Roku and other stuff.
Assume the kids do not ever get to access 1+2.