Also, be aware that filtering proxies are really just a weak band-aid and relatively easy to get around.

Blacklist proxies and content-filtering proxies are weak. Whitelist proxies, such as he's talking about using, are not so weak, although their usefulness is limited to situations where it's acceptable to block pretty much the whole internet with a few exceptions.

(I'm assuming here that he's going to run the proxy on the firewall, not on the desktop, and that the firewall will be set up to drop any unproxied traffic. Otherwise of course they'll just change the browser setting so it doesn't use the proxy.)

This wouldn't be my approach to internet access for children, granted. My approach would be to keep the PC in the living room, where they can't use it without being observed. That assumes there's ALWAYS an adult with them, but there isn't any other sane way to raise children, IMO. In any case, if they're left unsupervised there is *NOTHING* you can do to prevent them from viewing random content on the internet (or, worse, on television), because they'll view it at a friend's house.

Whitelist proxies, such as he's talking about using, are not so weak,

I largely agree with your post, just to clarify, for a whitelist proxy to be effective you need to run it on a separate gateway host which firewalls your network from the Internet (as you say). You also need to

• Drop all egress traffic at the firewall (not just HTTP), and run a filtering proxy for any services you wish to use (e.g. DNS, SMTP, POP/IMAP, FTP)
• Disallow encrypted connections (no HTTPS).
• Be very careful in your list of sites to allow (e.g. no search engines or sites which allow posting of HTML)

At that point you've crippled the Internet connection to the point of very limited usefulness and set yourself up for a whole lot of work (and you're still not 100% secure, those are just the more obvious avenues of circumvention). Internet censorship is really hard, very seldom reasonably justifiable and a really stupid thing to do in the context of a family IMO.


All dogma is stupid.

At that point you've crippled the Internet connection to the point of very limited usefulness.

Agreed, this is not something you could use e.g. for setting up a school library computer lab so the children can do research on the internet. They wouldn't be able to get any research done. There are, however, people who just want their kids to be able to access a dozen or so sites they've pre-screened (typically, to play silly little plugin-based pseudo-educational but largely harmless games based on licensed characters), and it _would_ work for that. I was getting the idea this was the sort of thing the original poster had in mind, although I could have been misreading his intentions.

Regarding how the firewall is set up, I was assuming you would block anything you don't specifically need -- that's the only sane way to set up a firewall anyway. I wasn't thinking about proxying DNS though, but come to think of it, there _could_ be proxies out there running on that port, although how the kids would find them without general access to the net is another question.

Internet censorship is really hard, very seldom reasonably justifiable and a really stupid thing to do in the context of a family IMO.

The real issue there is leaving the kids unsupervised. If there were no internet connection at all, and no television either, and no other objectionable content available, there are still plenty of *other* potential problems, many of which are life-threatening. Frankly, if your kids are home alone, the internet is the *least* of your worries. (If they're not home alone, but the internet is someplace where they have privacy, like their bedrooms, then that's the whole problem; put the internet in the living room and suddenly it becomes supervised.)

And yes, there are some few children who by age ten or so are sufficiently responsible and grown up that they can be left home alone for a few hours at a time, but these are unusual, and generally they also can be trusted to go to the public library alone, use the internet alone, fend off telemarketers alone, etc., in other words, they're practically adults. Even then, they should NOT be left to supervise other children alone (because the other children won't think of them as adults, and they don't have the physical size or strength to force the issue if need be).