Secure Family-Friendly Web Access

A Guide to Hardware-Based Internet Control Systems

We worry about the powerful influences technology will present to our children, but we also realize that the Internet is such a large part of modern society that it can't realistically be avoided. Every family has got to search for a balance, but the absence of a perfect solution is no excuse for just letting events carry us along.

The system that this document describes is an answer to some of the larger weaknesses inherent in the more mainstream filter-based and operating system-based approaches. I want my family to have safe Internet access and I believe that this approach gets us close enough to be comfortable.

My method is admittedly not for the technologically faint of heart. There's quite a steep learning curve needed to get it done right and implementation is not likely to be problem-free (but think of all the fun you'll have in the process). Hopefully this guide will smooth the path as much as possible - or at least inspire creative alternatives.

Besides the computers and networking equipment that you're already using in your home, what hardware does the firewall itself require? Only a single PC (the older the better - even something as slow as a 386 processor, 32Mb of RAM and a 300Mb hard disk) with either two or three network adapters installed, a keyboard and temporary access to any old monitor for the setup process (once you're up and running, you won't need any monitor at all). Total cost? Between $20 and $75.

Here, in summary, is how it works:
    You load a small, free operating system called Ipcop onto the PC. Ipcop will convert this PC into a firewall that will stand between your Internet source (the modem given to you by your Internet provider) and all the other computing devices in your home. By appropriately configuring the software included with Ipcop, you can directly control which parts of the Internet will be available to each individual family member. Once the system is up and running, anyone who tries to access a web site from any device in the house will be asked to enter a user name and password. Only once they successfully login to the system will they be allowed further - and even then, only to those web sites that you have explicitly permitted (assuming you've chosen to use the "whitelist" configuration - more about that later).
    Note: this how-to was written for Ipcop ver. 1.4 along with the Advanced Proxy and URL filter add-ons. Ipcop has since upgraded to ver. 2.0 and incorporated Advanced Proxy into the main module, but the old URL filter will not work and, this far at least, hasn't yet been added to the new Ipcop.
    Ipcop 1.4 and the old Advanced Proxy and URL filter stand-alones are all still available for download from their respective websites.
Now here are more detailed instructions:

You will first need to download Ipcop - be sure to visit the "Documentation" section for their "quick start guide" and "installation manual" and remember that there is a very helpful online user forum available here. Follow the instructions to create a CD, boot your firewall PC with the CD in the drive and install/configure Ipcop. Once you've installed everything, you will be faced with a simple flashing cursor. For now, the only command you will likely need is "setup" - which will take you back to the basic hardware configuration module.

Besides that, you should be able to do everything else from the web browser of your regular computer. To do that, check to see that your computer is connected to Ipcop. First make sure that your browser's proxy settings are configured to

Manual Proxy Configuration

with the HTTP proxy set to

192.168.1.1

and the port to

800

Specify "no proxy for"

localhost, 127.0.0.1, 192.168.1.1,


Then type ipcop:81 or https://192.168.1.1:445 into the URL (address) bar. The Ipcop configuration interface should appear. The first thing you will want to do is set up your Internet connection - usually via the "Network" and "Dialup" menu options. See the Administration manual for more details.

Assuming everything's gone well until now, you will have a working firewall and browser access to its "dashboard". But there are still three more steps before you will control who accesses what.

IPTABLES
First, you will need to create or edit a file to configure iptables rules (in our case, this will force all devices in your home to route their Internet-bound activity through your Ipcop filter - specifically, port 800). Using a text editor on your own computer (and NOT a word processor - which would add formatting data that you definitely don't want), paste precisely the following text into a file you will call rc.firewall.local


#!/bin/sh
# Used for private firewall rules

# See how we were called.

case "$1" in
start)
## add your 'start' rules here
# See advproxy manual 8.3.1
# this line is for the green interface:
/sbin/iptables -A CUSTOMFORWARD -i eth0 -o ppp0 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
# this line is for the blue interface:
/sbin/iptables -A CUSTOMFORWARD -i eth2 -o ppp0 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
;;
stop)
## add your 'stop' rules here
# this line is for the green interface:
/sbin/iptables -D CUSTOMFORWARD -i eth0 -o ppp0 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
# this line is for the blue interface:
/sbin/iptables -D CUSTOMFORWARD -i eth2 -o ppp0 -p tcp -m mport --dports 80,81,443,3128,6588,8000,8080,8181 -j DROP
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac


On your own computer, open a command-line interface (on Linux, it's called "Terminal", older Windows systems called it the "DOS Prompt" and I believe modern versions of Windows have a Command Prompt (accessible via "Right-click Start Menu->All Programs->Accessories->Command Prompt"). You want to create a shell connection to the Ipcop PC (in effect, so you can control the Ipcop PC remotely from your own computer).

Now, in your command-line interface, navigate to the directory that contains your new rc.firewall.local file and type the following line (this will copy your newly-created file from your computer to the appropriate directory on Ipcop):

scp -P 222 rc.firewall.local root@192.168.1.1:/etc/rc.d/rc.firewall.local

[enter your Ipcop "root" password when prompted]

INSTALL SERVICES
Next, you will need some more software. URL filter allows you to precisely define which web sites individuals in your home can or cannot visit. Advanced Proxy allows you to create user accounts for each member of your family and to define how much Internet access each one will have. You can get URL filter here and Advanced Proxy here (I believe that they were both created by the same person - making a donation to express your appreciation for his work isn't a bad idea). Don't forget to read the documentation on those sites.

Here's how you install these two services:

Go back into your command-line interface. Navigate to the directory that contains your downloaded URL filter and Advanced Proxy files (they are compressed as tar.gz). To copy the files over to Ipcop, type something like the following (make sure that you replace the package name that I've included as an example with the actual name of the package you've downloaded):

scp -P 222 ipcop-advproxy-3.0.6.tar.gz root@192.168.1.1:/etc/

Do it again for URL filter.

Now, you will "tunnel" into the Ipcop system to finish installing the two packages you've just copied. Assuming that the ip address below is the one you chose for Ipcop, type this into your terminal:

ssh -p 222 root@192.168.1.1

You will be prompted to enter your "root" password. From this point, this window isn't technically "on" your own computer, but rather, it represents the Ipcop PC.

To uncompress the packages, navigate to the folder to which you copied the packages (in my example, it's /etc/) and type:

tar -xzf archive_file_name.tar.gz

...carefully replacing "archive_file_name.tar.gz" with the actual name of the package you've copied. Do it again for the second package. This will create two new files which will have the same names as the archive packages, but without the tar.gz extension.

To actually install the packages, type

archive_file_name/install

...again, carefully replacing "archive_file_name" with the actual package names - WITHOUT, however, the .tar.gz extension.
Type

exit

to end your SSH session on Ipcop.

Now check to make sure the services are properly installed on Ipcop. Go to your browser, type ipcop:81 (or https://192.168.1.1:445) into the URL bar and click on the "services" tab. Advanced Proxy and URL filter should appear as options.

CONFIGURATION
Click on Advanced Proxy and configure the following settings:
  • enabled on green
  • enabled on blue (assuming you have a wireless router)
  • transparent on green DISABLED
  • transparent on blue DISABLED
  • "Allowed subnets" should be set to
    • 192.168.1.0/255.255.255.0
    192.168.3.1/255.255.255.0
    (assuming that you originally setup the blue - wireless - network as 192.168.3.1)
  • enable url filter
  • enable whitelist
  • leave destination ports as default
  • authentication "local"
  • enable "Bypass redirection for members of the group 'Extended':"
Then click on the "User Management" button towards the bottom of the page and create each user account. Remember to specify whether each user will have "standard" access (i.e., be blocked from banned sites) or "extended" access (i.e., be allowed to bypass the proxy).

When you're done, click on "Save and Restart" at the bottom of the Advanced Proxy main page.

Now go back to the "services" tab and click on URL filter. Assuming that you want to restrict your "standard" users to only those web sites that you actively specify,
  • Enable custom whitelist:
  • Enable "Block all URLs not explicitly allowed:" (in "Advanced Settings" towards the bottom)
  • Enter the addresses of the web sites to which you want to provide access in the "Allowed domains" box. I've provided a sample list of addresses that might be useful for you below.
When you're done, click on "Save and Restart" at the bottom of the URL filter main page.

WIRELESS
Assuming that there is a wireless router installed on your network and that you want wireless devices to be included in the proxy, here is one way to configure (make sure, of course, that the Ipcop network adapter that corresponds to the "blue" interface is connected by cable to the wireless router's LAN port):

From within the router configuration program, assign an IP address of 10.10.10.1 with no dhcp Make sure that you have assigned 192.168.3.1 to blue (in the Ipcop setup process)

If you want to restrict wireless access to only those devices you have explicitly allowed (a very strong security option that I recommend), do the following:

In the Ipcop interface under services/dhcp-servers, create a fixed lease for each mobile device using it's unique MAC and ip address in the blue subnet (i.e., 192.168.3.2 or 192.168.3.9 etc.)

    Note: if you're having trouble finding the MAC address of any device, see this resource

Do the same for "firewall/blue access" (although here, there is no need to include an IP address).

Important: in order to ensure that all your network devices will have access to the Internet, make sure all the browsers and system proxy settings have been set to 192.168.1.1 and port 800.

Once everything seems to be properly set up, it's time to test the system. Open browsers on various computers in the house to make sure that you are prompted to login to an Ipcop account. Try to access a whitelisted web site to ensure it opens properly. Try to access a web site that is supposed to be blocked to make sure it doesn't open. Try accessing the network via a wireless device that hasn't been issued a fixed lease to make sure that it's blocked.

ANOTHER LAYER OF SAFETY
Since all the computers in my house use the Ubuntu flavor of Linux as their operating system, I have the added ability to "watch" any user's screen from my own computer using software called VNC. Since I was careful to tell my kids in advance that I might be watching them at any time (it really doesn't seem right to do it behind their backs), this has essentially the same effect as being there in the room with them while they browse.