Parental control

(or how to provide a safe computer environment to your children)

by newmikey

I have two children, aged 10 and 11. Both were introduced to the Internet when they entered primary school. As they advanced through the grades the Internet has changed from a playground into a research source for projects, book reviews, and technical information. From the beginning, my wife and I have wondered how to protect our young children from the inherent dangers of this Global Community, and how to ensure that the content available to them would match their degree of development.

When they were very young, the solution was easy. The various tweaks to system files that enable access to only a few (up to 10) websites were easily executed and did not need to be adjusted too often. As the children grew older, their window on the world widened, and it rapidly became impossible to limit their view without damaging their scholastic advance.

One of the first things always has to be to educate your kids, make them understand how they should behave and, more importantly, how they should definitely NOT behave.

So they have been drilled on the standard, a standard you would be surprised to discover not many parents adhere to. Never give away personal details, use a nickname as an email address, and do not use your friends' real names when chatting or MSN-ing. Keep your password secret; do not let anyone else (even your brother or sister) log in under your name etc, etc. There is a long list of very common sense rules and the kids will gladly follow them if they understand exactly why.

That is why, early in 2005, I started looking at ways to filter unwanted and abusive content, while not limiting the reach and creativity that children need to develop. I found all kinds of programs for Windows, ISP's that offer specific "kids" accounts with server-based filtering and a few Open Source projects.

It so happens that from the beginning I disabled access to the network card in Windows (hardware manager) and taught them that they should use Linux if they wanted to go on the Internet. Therefore, Windows programs like NetNanny were out of the question (and expensive).

Basing the protection of my children on someone else's opinion of right and wrong seemed not to coincide with our view of limited freedom of information, where "limited" is understood to mean "anything as long as it is not damaging." So letting the ISP decide what my kids would see, was definitely not the way to go either.

I finally settled on DansGuardian, an Internet filter that has multiple ways to avoid presenting unwanted content to your kids. It has blacklists and whitelists, that either completely block or completely allow access to complete domains (websites). It also filters out images that are found to be unfit for children. It has dictionaries for swear words, discriminating phrases, porn, and other categories. Every web page is scanned for these words, before it is rendered on the screen. If one of these "forbidden" words is found, the page is replaced by a message that states that the page is unavailable. This technique is also called "dynamic content filtering".

What impressed me most, however, is the ability of DansGuardian to apply a weighted combination of words and make the resulting score decide whether or not to block a page. What does this mean in practice? Well, let's just say you do not want your children to have access to pages that contain sexually explicit stories or pictures. How does one prevent that? Nowadays, Googling on a subject like Barbie, or pussycat, will land you one result about the famous doll or an adorable feline, and thousands of referrals to websites that would make anyone blush.

So put the word "sex" in the list of forbidden words? That may sound like an easy solution, but, it will also block sites like special children's encyclopedia, school biology lab, and national health department, where information is offered about sex on a level and in a way that is specially targeted at and designed for a healthy sex education. The beauty of DansGuardian is that it offers a way out of this dilemma. DansGuardian allows the school biology lab to educate, national health department to warn and inform, and the encyclopedia to offer its content by comparing a total score of words found, to a maximum set by the parent.

The score can be increased by words or combinations of words, but also decreased by other words. So, just as an example, the word "sex" would add 10 points to the total score, but the combination of the words "health" and "childbirth" would take 10 points off the score. The whole page is scanned this way for several different categories of objectionable content, and if the resulting total is over a certain minimum, the page is blocked.

I hear you say, "my kid is so smart, he will find a way to circumvent this limitation in no time!" I can give you at least some reassurance, my 10 year old son is computer-smart, Linux-smart and technically savvy. He has given up trying. I am sure he will probably break DansGuardian by the time he is 18, but by then, I shouldn't be trying to limit his access anyway.

Is Dansguardian, alone and by itself, capable enough to make sure no access is allowed through other means? No, you need a mechanism that makes sure all Internet access is routed through DansGuardian, regardless of the browser type or settings. The solution to that is to use DansGuardian in combination with Squid, as a so-called "transparent proxy". This will force every attempt to send or receive content over computer port 80 (the http protocol), through DansGuardian's never-sleeping word filter.

Will you have no work at all after that? I would never advise anyone to totally leave the protection of their kids to a piece of software. I tend to review the log files DansGuardian creates once in a while, not to "spy" on the kids, but to make sure nothing is amiss, filtering is adequate, and the "page-score" is adjusted up or down when necessary. I also spend a lot of time with them on the PC, teaching them how to search, what to look for, and how to make sure information retrieved is reliable.

Is it easy to install the above combo? No, at least it wasn't for me. It took me hours no, nights of puzzling and reading on websites to get it setup the correct way. I hope that the following recipe will allow you to "cook" your kids a wonderful serving with less effort. They will appreciate the extended reach you will be allowing them and you will enjoy the feeling that your kids are protected.

The recipe calls for good quality, fresh ingredients. It is therefore advised that you use PCLinuxOS!


Take 1 ripe PCLOS installation, and add:

  • a generous portion of well marinated swap (2GB),
  • a sniff of games to taste,
  • two teaspoons of educational packages,
  • rpm's to taste.

Stir slowly, bring to a boil on a medium heat and...

Make sure your Synaptic is seasoned with the required packages, you need the regular repository and a separate repository called Thac, after its founder, for the Webmin package. For information on how to add Thac as a package source, look here:

WARNING: While the Thac repository is enabled, install ONLY the Webmin package. After it is disabled, install the other packages.

Add the following packages that are available from Synaptic (keep stirring constantly):

  1. Dansguardian
  2. Squid
  3. perl-Compress-Zlib
  4. IpTables

Now lower the flame and download the following package: dg-0.5.10-pr4.wbm (Dansguardian webmin module) from:

According to the instructions found at:

Edit (as root) /etc/squid/squid.conf and add if needed:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
cache_effective_user squid
cache_effective_group squid

Edit (as root) /etc/dansguardian/dansguardian.conf and add if needed:

reportinglevel = 3
filterip =
filterport = 8080
proxyip =
proxyport = 3128
daemonuser = 'squid'
daemongroup = 'squid'

Add (as root) the following lines to /etc/rc.d/rc.local:

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 3128 -m owner --uid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner root -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -p tcp --dport 3128 -j REDIRECT --to-ports 8080

Start PCLinuxOS Control Center (PCC) and navigate to System Services

  1. Set Squid to start at boot
  2. Set Dansguardian to start at boot
  3. Disable Shorewall
  4. Set Webmin to start at boot
  5. Set Iptables to start at boot

If you do not wish to turn off Shorewall (firewall), then you need to add the above 5 lines (that start with "iptables") to /etc/shorewall/start and /etc/shorewall/stop, just in case you have to stop Shorewall for some reason, your filters will continue running.

Make sure your PC has a so-called "hostname", otherwise the various ingredients of this recipe will not lead to a satisfactory result and leave a bad taste. You can set the "hostname" by opening the PCLinuxOS Control Center and enter the tab "Networking", section "Configure DNS settings." Set a qualified hostname. You can invent something fancy but "" will do fine for now.

You can now install the DansGuardian-webmin-module in Webmin by surfing to:


and choosing "Install module from local file." Point at the module you downloaded (probably on your desktop) and click "Install Module".

PCLinuxOS ad

In order to make this dish look more refined, garnish with a Konqueror Desktop link to the DansGuardian module of Webmin by using this URL:


so that you can examine logfiles and change settings (as root of course!)

You may need to adjust the "forbidden" words lists and scores, depending on where you live. I find the standard settings much too "prudish" for a European taste. On the other hand, I needed to reinforce protection in other categories.

You can either access DansGuardians settings through the Webmin module or edit them with any text editor like Kwrite, Kate or Kedit. You will find all of the blacklists, whitelists, and weighted words in several languages in /etc/dansguardian.

Do remember that you have to restart the services, after any edit of a DansGuardian file, in order for the changes to take effect. This could be done in a terminal, as superuser:

/etc/rc.d/init.d/squid restart
/etc/rc.d/init.d/dansguardian restart
/etc/rc.d/init.d/iptables restart

or from the DansGuardian webmin module in your favorite browser with the URL https://localhost:10000 (Note the extra "s" after http. It indicates a secure connection).

Have a look at some websites, good and bad. Note when you are blocked when you shouldn't be or not blocked when you should be. Now have a look at the logfiles.

They will show you the exact wordscores that led to the above results. I found that increasing the blocking threshold got rid of a lot of false results. You will soon find the perfect combination for your children's age and your local cultural habits. I wish you and your children a healthy, happy and safe 2007.