Parental Control / User Based Access / User Based Firewall

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
jackyyaplt
Level 1
Level 1
Posts: 12
Joined: Sat Apr 18, 2020 8:40 am

Parental Control / User Based Access / User Based Firewall

Post by jackyyaplt »

Hi all,
I am looking for a Parental Control/User Based Access/User Based Firewall suggestion.

The general direction is to keep things simple and easy to modify/maintain without any risk of serious problems.

Basically, I want to limit my child access of the computer based on: Time, Applications and Sites.

For limiting the time, I am fine with Time Keeper.

For limiting application, one easy way I am thinking is to set the folder/executable permission. (but from the Linux Mint menu, how do I trace down the respective executable and its folder? [Any other approaches would be greatly appreciated too!]

For limiting websites, technically, I can configure the /etc/hosts to redirect blocked domain to 0.0.0.0; however, I only want to block for specific users, not to block all. I am thinking along the line of firewall, but is there such a firewall that I can use to specify which user can access which site (also I want to specify via domain name rather than IP address)? [Any other approaches would be greatly appreciated too!]

Thanks and looking forward to your advice.

SomeDudeInAZ
Level 2
Level 2
Posts: 93
Joined: Sun May 05, 2019 6:48 pm
Location: Scottsdale, AZ, USA

Re: Parental Control / User Based Access / User Based Firewall

Post by SomeDudeInAZ »

Without knowing anything about how tech savvy your kids are:

1) REALLY SIMPLE: For the kiddee account (you do have them logging into their own account right?), edit the mint menu (right click on the menu select "configure"). Then just uncheck/delete anything you don't want them to be able to run. Not very secure if they know how to get around it (or can use the terminal) but I am consistently amazed at how effective this simple trick is.

1a) As an added bonus, once you're in the menu editor, you can view the properties to find where the executable is. Often the config file (and other support files) are somewhere else though. Here be dragons...

2) Firewall: you can use UFW (to an extent). Do a duckduck search on "ufw website blocking" and you can find some help there

*** Note: DOH = DNS over HTTPS ***

3) Sign up for an outside DNS service that will let you filter by DNS (Cisco's OpenDNS works well) and you then force firefox to use that service if you're using DOH (why?) or put it into your router (force no DOH :D ) and you're good to go. I personally don't like cloudflare...

4) Build a pi-hole, full on OpenSense (pfSense) firewall, Ubiquity Edge Router (cheaper than pi), disable the evil DOH in the browser, load the block lists and you're great. With no advertising as a bonus. If you still want DOH there are tools you can install in the firewall (eg. https://docs.pi-hole.net/guides/dns-over-https/). But you still have to disable DOH in the browsers.

Hope this helps

PS:
/* rant mode on */
Before anyone starts in on DOH being "good for privacy" remember - Mozilla forced this, at the application level, bypassing the hosts file and most other firewall or dns based blocking. So you now have to jump through hoops to get your filter rules and ad blocking back; because a checkbox in a browser preferences screen bypasses your rules. Just in time for them to launch a "pay us for an ad free internet" service...just call me cynical
/* rant mode off */

Sorry for the quasi-hijack

Pippin
Level 4
Level 4
Posts: 368
Joined: Wed Dec 13, 2017 11:14 am
Location: The Shire

Re: Parental Control / User Based Access / User Based Firewall

Post by Pippin »

SomeDudeInAZ wrote:
Sat Apr 18, 2020 3:24 pm
full on OpenSense (pfSense) firewall,
Ouch, in one sentence ;)
Peer review = Ossification of current assumptions, the censorship of competing hypotheses.

Mathematical proofs = Elegant consistencies within a synthetic man-made universe.
Models are not reality, no matter how elegant.

SomeDudeInAZ
Level 2
Level 2
Posts: 93
Joined: Sun May 05, 2019 6:48 pm
Location: Scottsdale, AZ, USA

Re: Parental Control / User Based Access / User Based Firewall

Post by SomeDudeInAZ »

:lol:

jackyyaplt
Level 1
Level 1
Posts: 12
Joined: Sat Apr 18, 2020 8:40 am

Re: Parental Control / User Based Access / User Based Firewall

Post by jackyyaplt »

Thanks, the finding of path from the menu item is useful.

He is not very savvy from shell script perspective, however, as you know, child has the ability to learn ANYTHING very fast just by watch youtube! So, method that rely on root pwd would be nice.

For firewall, I want to have conditional settings based on login user. For example, if the user is my child, then deny, else allow. However, I have not seen any firewall providing such ability. Therefore, I am thinking along the line of swapping in a custom /etc/hosts file based on the login user. In other words, when my child login, the laptop's /etc/hosts will be copied from "/etc/hosts.LIMIT" to "/etc/hosts". And when other user login, the /etc/hosts will be copied from "/etc/hosts.OK" to "/etc/hosts".

To do the above simple task, I need to know:
1) Where is the login script (not startup script) located in Linux Mint? Is this a user-based login script or a system wide login script? I would prefer to modify via individual login script.
2) When the login script is run, I need to copy a ready-made file, "/etc/hosts.LIMIT" to "/etc/hosts". This would mean that I need root privilege to do that. Is there some permission where I can set on the SH file so that it will run as root? Or do I need to do some links? [Some details on the commands would be great, I have not used LINUX script for a LONG TIME]
3) Is there a similar logout script? If so, where is it?

Thanks in advance for the help!

SomeDudeInAZ wrote:
Sat Apr 18, 2020 3:24 pm
Without knowing anything about how tech savvy your kids are:

1) REALLY SIMPLE: For the kiddee account (you do have them logging into their own account right?), edit the mint menu (right click on the menu select "configure"). Then just uncheck/delete anything you don't want them to be able to run. Not very secure if they know how to get around it (or can use the terminal) but I am consistently amazed at how effective this simple trick is.

1a) As an added bonus, once you're in the menu editor, you can view the properties to find where the executable is. Often the config file (and other support files) are somewhere else though. Here be dragons...

2) Firewall: you can use UFW (to an extent). Do a duckduck search on "ufw website blocking" and you can find some help there

*** Note: DOH = DNS over HTTPS ***

3) Sign up for an outside DNS service that will let you filter by DNS (Cisco's OpenDNS works well) and you then force firefox to use that service if you're using DOH (why?) or put it into your router (force no DOH :D ) and you're good to go. I personally don't like cloudflare...

4) Build a pi-hole, full on OpenSense (pfSense) firewall, Ubiquity Edge Router (cheaper than pi), disable the evil DOH in the browser, load the block lists and you're great. With no advertising as a bonus. If you still want DOH there are tools you can install in the firewall (eg. https://docs.pi-hole.net/guides/dns-over-https/). But you still have to disable DOH in the browsers.

Hope this helps

PS:
/* rant mode on */
Before anyone starts in on DOH being "good for privacy" remember - Mozilla forced this, at the application level, bypassing the hosts file and most other firewall or dns based blocking. So you now have to jump through hoops to get your filter rules and ad blocking back; because a checkbox in a browser preferences screen bypasses your rules. Just in time for them to launch a "pay us for an ad free internet" service...just call me cynical
/* rant mode off */

Sorry for the quasi-hijack

SomeDudeInAZ
Level 2
Level 2
Posts: 93
Joined: Sun May 05, 2019 6:48 pm
Location: Scottsdale, AZ, USA

Re: Parental Control / User Based Access / User Based Firewall

Post by SomeDudeInAZ »

"startup applications" can be found in system settings off the main menu

One idea you could try is to dual boot :twisted: into 2 different installs. One install just for him (no user password so it boots right into the user account) and one for you. Then you just tweak grub or use a 3rd party boot manager like terabyte and it boots into "his" account. Not perfect, but gets things started.

Also, if you have 2 network cards (wired &/or wifi,or 2 networks on wifi, or some other combination) you could try forcing him onto 1 network, and leave you on another. Then customize a firewall from there.

I'm sure there are those who are much more knowledgable about this than I am.

Another way to get fancy is install pi-hole or some other other firewall into a VM and set that VM as your dns server or learn the backend of ufw (iptables - I haven't had the chance to play with that side yet).

Hope this helps

Post Reply

Return to “Software & Applications”