Parents of STH - what is/are your solution(s) for Internet management with kids?

[jcl333]

Run your own VPS based VPN using wireguard/ipsec using algo. algo runs dnscrypt with your preferred blocklist you can find here

prevent the phone from accessing the internet via the isp. Force ipsec/wg. now u can control access.

Don't try to control the phone, it's a fool's errand. control the incoming data.

block raw internet access using afwall+, only allow access to wireguard ip subnet

My only fear with this type of thing is reliability. If it keeps breaking down such that I have to bypass it so my kid can legitimately use it, it won't last long. And time is for sure a factor. I think you are a fair bit above me in this area too.

If you need control of the phone, that means you root it. you flash it with a custom ROM from XDA-Developers. You leave out all the google code. You cannot trust google. Google is infested with pedophiles. Just like Disney is. It never ends. You can never trust the ROM a phone comes with from the shop. First thing you do is zap the phone, and install your custom ROM without any google code.

Get tough. It's lots of work and reading, but it is possible. Don't trust any app or 'parental solution' It's all bullshit.

heh, I have a friend just like you. He maintains a separate computer running Ubuntu (I think) that is not networked, be brings select things to it via a thumb drive. Then he has a separate computer with Internet access that he uses very carefully. He won't buy or use anything that will track him, so no Tesla and no smartphone. That being said, he is an assembly programmer who writes firmware for missile and satellite systems, so I can't really dismiss it either, he has seen some $hit.

Not judging you harshly, I have thought about this. I was thinking of running my main desktop as a VM with a snapshot that gets deleted when you shut down the machine. So it is almost like a new and fresh machine every time you turn it on. Maintain just enough carefully selected favorites and info to do useful things with it. Use one of these permanent VPN solutions if you can find one that you can trust.

This I think would foil much of the cookies and tracking and all the other things the Internet Mega corps are using to data mine our lives. People don't really understand me when I tell them with Facebook you are the product, not the customer (and I barely use it once a year, delete the app from my phone because it was too annoying.)

But, I have to admit, I have not been disciplined enough to put all the things I know I *should* do into practice. Part of it is that I have been using the Internet sooo long (as I am sure others here have been) that I can usually spot the crap and avoid it in the first place, but it is getting harder. (actually I pre-date the Internet by quite a bit, I am ancient) Although if you *DO* do all the same things all the other lemmings are doing, then you could make an argument that you blend into the either and are unremarkable. But I agree big data is not to be underestimated.

Lately I was thinking of actually paying the $15/mo for YouTube premium just to remove all the %$^#% ads for my family.
I know, I know, one mustn't feed the beast, but it gnaws at my soul. I am also one of the people who Google is taking away my free Google Apps account, still haven't decided what I am going to do and may just pay for it.

Oh, I forgot to mention: (partially because they are probably too obvious for this crowd)
- I have all my family members and myself not logging in all the time as local admin, and I am the only one with the admin creds.
- We use LastPass with Yubikey MFA, taught them how to maintain all sites with unique random complex passwords
- Microsoft's built-in AV/AM is OK, I supplement Malwarebytes
- All our browsers have both AdBlock and uBlock Origin (yes, in addition to PiHole)

/paranoia

-JCL

 

[jcl333]

to add. What you do is first you buy the same model phone your child has. Then you go to xda-developers and pick a cyanogenmod based ROM for it. You study how to flash the phone without installing the google code. you store the ROM you create on a encrypted sd card that only you have the encryption key to. When your ROM image is ready you transfer the encrypted sd card to your child's phone, and flash your child's phone with that ROM. it's been almost a decade since i did this for a living, can't remember all the details.

from that encrypted sd card you install the new rom onto your child's phone. It has no google code, all location based etc code is open source alternative (can't remember the name but it all exists) afwall+ controls all the internet traffic. your child cannot disable the iptables based fw.

You have to take complete control of the phone OS and the internet data channel. xda-developers has everything you need. Anything less than that is futile.

I have another friend who is really into this sort thing, likes to talk about phones running on open hardware and all that.

I guess my most honest answer to this is that just like at work, I have to choose my battles. It would take me a long time to get up to speed on what you are talking about, but I am loosely familiar with it. You have to leave some things to others, partially the reason I created this thread.

-JCL

 

[jcl333]

100% best post so far.

But for the other moments, ZenArmor (paid edition) on OPNSense has been awesome.

The frantic shouts from roommates after I experimented with blocking "Pornography" in the policy was hilarious. "EVERY. WEBSITE. I TRIED EVERY WEBSITE , EVEN ONES GOOGLE DIDN'T KNOW ABOUT AND NOTHING WORKS!"

Agreed.

Have not heard of ZenArmor, will check it out. You really like OPNSense that much more than pfSense? I know there is a whole bunch of history, but I have been using pfSense for longer than I can remember.

Well done on the blocking. A few years back I lived in a 7-unit condo, and I was by far the most knowledgeable person on this stuff in the building, so I set up business class Internet and a pfSense box, they are still using it to this day, I think I set that up in like 2006 or something? Sure, I *could* offer to go update it..... but I just can't do it, not enough time.

I of course went very light on any kind of filtering or monitoring because it would have been unethical and I told them that, I treated it like my fiduciary duty.

Were your roommates using the dark web? Or are you just talking about other search engines?

 

[Blue)(Fusion]

Lately I was thinking of actually paying the $15/mo for YouTube premium just to remove all the %$^#% ads for my family.
I know, I know, one mustn't feed the beast, but it gnaws at my soul. I am also one of the people who Google is taking away my free Google Apps account, still haven't decided what I am going to do and may just pay for it.

Oh, I forgot to mention: (partially because they are probably too obvious for this crowd)
...
- All our browsers have both AdBlock and uBlock Origin (yes, in addition to PiHole)

What?! I have not seen an ad on Youtube in years thanks to uBlock Origin. And I use the uBlock Origin dropper tool to get rid of the "here's the approved news we want you to watch" on the homepage feed and the "this might be misinformation" bit under videos.

Have not heard of ZenArmor, will check it out. You really like OPNSense that much more than pfSense? I know there is a whole bunch of history, but I have been using pfSense for longer than I can remember.

I've used both. OPNSense has been more stable, quicker updates, great features, looks better, and has native support for ZenArmer (previously Sensei) and I don't believe pfSense has that option.

Were your roommates using the dark web? Or are you just talking about other search engines?

No, I'm the one that uses the "dark web." I just wanted to experiment with how effective ZenArmor was. Needless to say, it works very well. I believe the free version is all you need, but if you want to add custom white and black lists, then you need t pay for it. I believe I paid about $100 for a year. Worth it. I also use it to black advertising, Facebook, Twitter, most Google (not Youtube or Google Play Store updates), TikTok, and other similar junk on my Trusted network using ZenArmor. Just check the box and click Save - no figuring out IPs, no DNS masking, it does it all with it's periodically updated databases. It's biggest benefit is also detecting and preventing known exploits from within your network trying to reach out to the internet (DDoS, rootkits, etc.).

----------

Honestly, reading the majority of your posts in this thread, I'd recommend keeping it simple. "Next Gen" firewall it with something like *sense+ZenArmor, block what absolutely needs to be blocked for your family (TikTok!!!!!) and have some trust in your kids. Your kids will find things you don't want them to whether you like it or not and every person I ever knew with overbearing parents limiting access too much turned out to be the ones that didn't socialize well and ended up in bad places in life.

The big thing is to ensure privacy opsec which can only be learned and practiced, not restricted by tech which sounds like you're already doing. It never ceases to amaze me how easy it is to know so much about anyone with only their full name or phone number.

I should also add that I was always the tech savvy one in my family. Being a late 80's baby, I grew up with the world wide web almost from day one. I was the one who set up the LAN when we got our first 10/100 network hub. I'm the one who configured Windows 98 networking. I'm the one that showed my parents how to use AOL during the dial-up days. I'm the one that knew how to search the internet for anything I wanted without their knowledge, and boy, did I ever. Did it hurt me in any way? I don't think so, nor does my therapist (just kidding about the therapist!) because I was taught critical thinking and general sense of awareness by my parents. Just because I could doesn't mean I will.

 

[sic0048]

I agree with most posting here that thinks that trying to limit your child's internet access to certain things is a fools errand in the long run. Kids are not dumb and will find ways around your "blocks" in minutes. It might be as simple as switching to cell data instead of wifi or it might be borrowing a phone from a friend.

That's not to say that attempting to block certain sites is a bad thing, but this "method of parenting" should never be the primary way you are trying to police your children's behavior. You cannot stop "bad behavior" through technology and the more you try, the more you will fail at it. That type of change needs to come through genuine interaction with your kids and good open communication with them.

It's similar to the concept our society has today that you can simply "outlaw" bad behavior and people will be good. Laws do not change/prevent bad behavior. You have to change the root problem (poverty, drug use, ineffective education, lack of role models, ineffectual parenting, lack of consequences for wrong doing at an early age, etc, etc, etc) to make any lasting change in people.

 

[Serhan]

I tried limiting access with pfsense, but it required a lot of time and there would always be a game using something different, so I was not successful. I am using firewalla purple, and I am quite happy with its reporting and restrictions when needed.

 

[Joshh]

Run your own VPS based VPN using wireguard/ipsec using algo. algo runs dnscrypt with your preferred blocklist you can find here

prevent the phone from accessing the internet via the isp. Force ipsec/wg. now u can control access.

Don't try to control the phone, it's a fool's errand. control the incoming data.

block raw internet access using afwall+, only allow access to wireguard ip subnet

If you need control of the phone, that means you root it. you flash it with a custom ROM from XDA-Developers. You leave out all the google code. You cannot trust google. Google is infested with pedophiles. Just like Disney is. It never ends. You can never trust the ROM a phone comes with from the shop. First thing you do is zap the phone, and install your custom ROM without any google code.

Get tough. It's lots of work and reading, but it is possible. Don't trust any app or 'parental solution' It's all bullshit.

Whoa..... That is another level. Hopefully your kids don't end up with your level of paranoia.

 

[jcl333]

What?! I have not seen an ad on Youtube in years thanks to uBlock Origin. And I use the uBlock Origin dropper tool to get rid of the "here's the approved news we want you to watch" on the homepage feed and the "this might be misinformation" bit under videos.

Huh, I was told that there was not an easy way to block the ads in YouTube, I already use uBlock Origin, but didn't know it could do that, have to look into it, thanks for that.

I've used both. OPNSense has been more stable, quicker updates, great features, looks better, and has native support for ZenArmer (previously Sensei) and I don't believe pfSense has that option.

The one I was looking at was Sophos Home Edition, and I actually gave Untangle a try awhile back, didn't have enough time to mess with it at the time.

No, I'm the one that uses the "dark web." I just wanted to experiment with how effective ZenArmor was. Needless to say, it works very well. I believe the free version is all you need, but if you want to add custom white and black lists, then you need t pay for it. I believe I paid about $100 for a year. Worth it. I also use it to black advertising, Facebook, Twitter, most Google (not Youtube or Google Play Store updates), TikTok, and other similar junk on my Trusted network using ZenArmor. Just check the box and click Save - no figuring out IPs, no DNS masking, it does it all with it's periodically updated databases. It's biggest benefit is also detecting and preventing known exploits from within your network trying to reach out to the internet (DDoS, rootkits, etc.).

Hmm, ZenArmor looks really nice, I may try it out. Might even have beet parental features than that Circle/Disney thing.

----------

Honestly, reading the majority of your posts in this thread, I'd recommend keeping it simple. "Next Gen" firewall it with something like *sense+ZenArmor, block what absolutely needs to be blocked for your family (TikTok!!!!!) and have some trust in your kids. Your kids will find things you don't want them to whether you like it or not and every person I ever knew with overbearing parents limiting access too much turned out to be the ones that didn't socialize well and ended up in bad places in life.

Yup, I actually just recently discovered some of the things my 12 year old has discovered, even with the tools I have now. So a discussion is looming ;-)

The big thing is to ensure privacy opsec which can only be learned and practiced, not restricted by tech which sounds like you're already doing. It never ceases to amaze me how easy it is to know so much about anyone with only their full name or phone number.

Right, I teach my family how to use tools like LastPass + Yubikey, various software on PCs, not logging in as admin, etc.

I should also add that I was always the tech savvy one in my family. Being a late 80's baby, I grew up with the world wide web almost from day one. I was the one who set up the LAN when we got our first 10/100 network hub. I'm the one who configured Windows 98 networking. I'm the one that showed my parents how to use AOL during the dial-up days. I'm the one that knew how to search the internet for anything I wanted without their knowledge, and boy, did I ever. Did it hurt me in any way? I don't think so, nor does my therapist (just kidding about the therapist!) because I was taught critical thinking and general sense of awareness by my parents. Just because I could doesn't mean I will.

I got into computers in the early 80's, I was on BBS's (and ran one) and used the "web" when it was just text, and when there was a single-digit number of websites ;-) I am ancient. Actually, I say to my friends that are the same age that we are the last generation that will ever know what it was like NOT to have computers......

Fair point on the parenting, thank you for this helpful post.

-JCL

 

[jcl333]

I agree with most posting here that thinks that trying to limit your child's internet access to certain things is a fools errand in the long run. Kids are not dumb and will find ways around your "blocks" in minutes. It might be as simple as switching to cell data instead of wifi or it might be borrowing a phone from a friend.

That's not to say that attempting to block certain sites is a bad thing, but this "method of parenting" should never be the primary way you are trying to police your children's behavior. You cannot stop "bad behavior" through technology and the more you try, the more you will fail at it. That type of change needs to come through genuine interaction with your kids and good open communication with them.

It's similar to the concept our society has today that you can simply "outlaw" bad behavior and people will be good. Laws do not change/prevent bad behavior. You have to change the root problem (poverty, drug use, ineffective education, lack of role models, ineffectual parenting, lack of consequences for wrong doing at an early age, etc, etc, etc) to make any lasting change in people.

Maybe a better way to look at it is the software can augment the parenting, make it easier. Kind of like how a better camera won't necessarily make a better photographer....

 

[jcl333]

I tried limiting access with pfsense, but it required a lot of time and there would always be a game using something different, so I was not successful. I am using firewalla purple, and I am quite happy with its reporting and restrictions when needed.

So you found that solution much easier to use, and it did not get in your way?
That is the rub, when I tried Untangle, after a couple of weeks fiddling with it I gave up.

 

[jcl333]

Whoa..... That is another level. Hopefully your kids don't end up with your level of paranoia.

I hope the world doesn't come to the point where that kind of effort is necessary.

 

[Serhan]

So you found that solution much easier to use, and it did not get in your way?
That is the rub, when I tried Untangle, after a couple of weeks fiddling with it I gave up.

Yes, I am happy with Firewalla. Kids are on their own vlan, they are also in a group. Once you set the restrictions for the group in terms of applications, the box does the rest. If you want, you get alerts on what they are doing on categories like gaming, social media, etc, but I no longer need to get that kind of detail. This is all done on your phone, no need for for web interface.

 

[Wasmachineman_NL]

Whoa..... That is another level. Hopefully your kids don't end up with your level of paranoia.

Disney being full of sick ****s is nothing new under the sun though, but that's more of a subject for another site.

 

[jcl333]

Hello, I thought I would follow up on this.

I gave Untangle another try, and it has gotten allot better since I tried it a few years ago.
It allows me to just monitor, or block, etc.
So, I am going to give this a spin for awhile.

-JCL

 

[zer0sum]

Hello, I thought I would follow up on this.

I gave Untangle another try, and it has gotten allot better since I tried it a few years ago.
It allows me to just monitor, or block, etc.
So, I am going to give this a spin for awhile.

-JCL

So, you're going to pay for it?

NG Firewall Software Packages | Edge Threat Management - Arista

Arista’s NG Firewall software packages are the easiest way to get all the applications you need for a comprehensive, multi-functional firewall solution.

www.untangle.com

NG Firewall at Home | Edge Threat Management - Arista

Run NG Firewall at Home

www.untangle.com

 

[jcl333]

So, you're going to pay for it?

NG Firewall Software Packages | Edge Threat Management - Arista

Arista’s NG Firewall software packages are the easiest way to get all the applications you need for a comprehensive, multi-functional firewall solution.

www.untangle.com

NG Firewall at Home | Edge Threat Management - Arista

Run NG Firewall at Home

www.untangle.com

Yes, I think so, I think the price is reasonable for what it does.

I looked at Sophos UTM, Firewalla, ZenArmor, and a couple others. They all have their pros and cons, but I was able to install Untangle in bridge mode and leave my pfsense box untouched, and set it up to be able to handle my gigabit fiber connection, performance is quite good.

Are you affiliated with untangle?

-JCL

 

[zer0sum]

Yes, I think so, I think the price is reasonable for what it does.

I looked at Sophos UTM, Firewalla, ZenArmor, and a couple others. They all have their pros and cons, but I was able to install Untangle in bridge mode and leave my pfsense box untouched, and set it up to be able to handle my gigabit fiber connection, performance is quite good.

Are you affiliated with untangle?

-JCL

Not at all. I've installed it tested it for a few days and promptly uninstalled it a few times over the years though

 

[edge]

Mine or grown & gone so not really a 'current' solution - but it worked for me.

Really you don't need to block them or monitor them. You just need to convince them that you can. With my kids I did enough casual monitoring (put in some DNS tracking) so that I could casually mention things about sites they had visited, etc., and then said just enough to make them believe I could see anything they did on their computers or phones.

Perhaps it helped that I was working at a mobile phone carrier at the time and casually dropped into conversation work I had been doing on CALEA and wiretaps, etc.

Anyway, I had them completely convinced I could see everything they did, read their IMs/etc. Worked out great!

I sort of did the same, but with a moderate stick. I run snort as my IDS. My oldest (now 10, but at the time 8) wanted get on discord (I really don't like discord content). Rather than block it, I put in a snort rule that disabled his internet access if he visited discord and did it immediately.

One day later he came to me saying his internet was out... Fun conversation with him until he fessed up - then I told him I was the God of the internet in the house and he needed to listen to me. If y'all read TheRegister, I am just the BOFH of the house.

 

[Wasmachineman_NL]

I sort of did the same, but with a moderate stick. I run snort as my IDS. My oldest (now 10, but at the time 8) wanted get on discord (I really don't like discord content). Rather than block it, I put in a snort rule that disabled his internet access if he visited discord and did it immediately.

One day later he came to me saying his internet was out... Fun conversation with him until he fessed up - then I told him I was the God of the internet in the house and he needed to listen to me. If y'all read TheRegister, I am just the BOFH of the house.

Good, because **** discord: Discord — Spyware Watchdog

 

[oneplane]

Keep in mind that when teenagers want to find out about porn and other adult things, they will. The only thing you can do is prepare them and be available and reachable for when they have questions.

Regarding parental controls, filters and blocking: most of it is a tool, not a solution to a problem. Just like in infosec, it doesn't matter how good to tools are if the users (or kids in this case) can simply go somewhere else and be out of view and on their own for whatever they want to do. That said, even a simple time limit and filtering style that simply makes websites and applications appear broken are an easy way to make drive-by internet nonsense go away for the first few years.

I think Troy Hunt even had a basic plan like that which combines most posts in this thread where it's mostly just about keeping communication going with the kids but at the same time have mild controls in place. That way, the kids can still use the devices and internet (within limits) and explore, while at the same time having the openness to be able to talk about 'seeing some adult stuff' on a friends device. It generally isn't about the details of the adult things (be it porn, gambling or drugs for example), but mostly about how they felt/how they are doing and if they have questions.

While most of us here might have had an easy time easing in to internet as it was being built and the web came to be, all the way to unlimited free video streaming of every type of content you can imagine (and more), 'new users' essentially get dropped into a very deep rabbit hole with the way the internet is now. Rate limiting in terms of quantity and quality of content combined with classical parenting might be the best analog comparison and that's probably also why it's one of the default answers when kids+internet comes up.

The only thing I'd want to add here is: never go full spyware. It always ends bad, either because it erodes trust, or because the spyware itself gets compromised and then you have some random basement hacker datamining your kids all day. The way the various implementations offered by Apple, Microsoft and Google work is about as far as I'd go (device-based). DNS logging/filtering would be a universal thing to have (regardless of kids, home, office situations) and might be a good thing to have kids be aware off: just because the parents don't know what you're up to doesn't mean the network isn't aware either (as was mentioned by someone here as an opsec thing).