Looking for a computer-wide way to block websites
 

Hello,

I would like to block certain websites on my home LAN. There are several utilities, "kid's safety" apps like NetBarrier, or more general stuff like LittleSnitch.

The problem, as I see it, is that all of them work only with a model with 1 admin account. Even in that setting, a rule can often be broken just by moving or renaming the application the rule applies to. And any new admin account created will have no rules.

I wonder if anyone is aware of any method by which access to an IP address on a small LAN can be blocked for any process, controlled perhaps by root.

I would also like to get suggestions for an utility that logs users' access to websites in the background

TIA

Depending on which version (10.3 or 10.4) you have you can block/redirect websites (actually server addresses but usually the same thing) using the Hosts file.

If you open /etc/hosts with TextEdit or similar, you will see a single entry after some comments, something like

127.0.0.1 localhost

You can add as many ip/name pairs as you like, whatever is in the file will override the site's true address. For example:

127.0.0.1 doubleclick.net

redirects any requests to a notorious adserver to your own machine, where it quickly fails. If you enter:

206.125.215.123 apple.com

you won't get Apple, but CNN in it's place. You will have to reboot to make the changes work.

My hosts file has ~1500 entries, mainly adservers. I'll be happy to post it if anyone wants.

Yes, please post it!

Many routers can do this. If you've got multiple computers this can be very useful.

I'll ditto that, routers have access controls where you can set times and dates where internet service will be shut off to that computer and blocks key words and web sites

Do the routers use the computer's MAC address to identify the computer? So if the kid switches the ethernet wires, the router will still block the correct computer? (I do mean MAC, not Mac).

I'd be interested in some recommendations for routers. Can the new Apple Extreme handle this?

Edited to add: In my case, I'm dealing with a mixed environment of Macs and PCs. I want 4 computers (2 Macs and 2 PCs) to be completely unrestricted while 2 other computers (1 Mac and 1 PC) to be controlled. Controlling the router via the internet (when not at home) would be a huge bonus.

They can do all of that and more. Here are screenshots from my DLink DI-524. Oops! I may have spoken too soon. I don't think the DLink can block web sites for specific users.

yes it is by mac address, but I do not know apple networking hardware that well since I never use it. In fact I only use a third party firmware now on Linksys and buffalo routers which has a very nice applications and restirctions option.

here go some screens, I remoted into my home computer and pulled up my router config page to give you an example.

http://img409.imageshack.us/img409/1404/cp1mo9.th.jpg

http://img441.imageshack.us/img441/3343/cp2gh7.th.jpg

That first pic didn't want to come up, but it finally made it after about 5 minutes. The second pic came up quickly.

You said you "remoted into my home computer". How? I currently have two homes, and if I'm at my second home, I would dearly love to be able to control things without having to wait until I go back to my real home. Will the "remoting" work with PCs as well as Macs. I'm assuming yes since it's getting to the router software that matters, right?

What you showed me in those pics looks absolutely fantastic. This is what I need to do, and I never did replace my old, dying router.

Too bad there isn't a website dedicated to listing and comparing all of the major players in the router business so I could have some idea of what I really want. All I know is that I pick up a lot of Netgear networks pretty strongly from other people's networks, and I need to have a strong/long distance router/wireless/whatever.

Well I was working today in windows at work so I just used MS's RDC to remote into my home computer to pull up my router config. All you have to do is forward port 3389 because that is what RDC uses. Its easy to set up. I have a license to ARD admin because I use it at work and I can use that to remote into my macs at home, but that costs some $$$$. There is a free open source version called chicken of the VNC. However, I am not sure if free versions actually encrypt your conenction, which if your doing any kind of work over the internet I strongly suggest you do so through a ssh tunnel or use client software that encrypts itself. You will just have to enable that port in your router config.

If you want your mac to remotely control a PC, MS has RDC for mac for free download off their website. However, there is no way of doing the opposite from the PC side with out installing some third party apps. It is possible though I have done it.

Well, I am running a WRT54GL version of a Linksys router. The L actually stands for Linux, and these were specifically made by Linksys to run third party firmware. I then downloaded and installed the DD-WRT firmware from here:

www.dd-wrt.com

It went on pretty smooth with no problems. I have since then installed the same router with the same firmware for several of my clients on the side. I have gotten no complaints been almost a year too. You can still get the WRT54GL off of newegg.com but I don't think retail stores carry them anymore. If not, there is a long list of compatible routers that dd-wrt firmware supports.

DD-WRT also has a plethora of useful settings in a nice and easy to use control panel. I have my wifi signal boosted to about 85mW which is nice considering by default most home based routers only pump out about 50 or less, depending on the make/model.

An easy way to edit the hosts file is with Hostal

Here it is. 2,120 blocked annoying sites.

It's really a tar archive - the forum doesn't accept tar archives for some strange reason.

Must be saved as /etc/hosts - NOT /etc/hosts.txt or any other file extension.
Reboot to see effects.

:D... unless you enabled web sharing and run your own site, of course.

Not to complain, however - Thanks a million! That's exactly what I needed.

And FYI, the reboot was not necessary, however the emptying of the cache was.

And a curious thing: after every change in the hosts file the first restart failed with the blinking question mark, I had to hard-restart the machine after that failure, after which it invariably started up OK.

PS: I am still hoping that someone can direct me towards an application that tracks users' website accesses in the background.

Still works. Unless you have exactly duplicated the adserver's files your own server will almost instantly belch out a 404 error - either way you don't get the ads or other detritus.

You're right. I see 404 error messages in the place of the ads, mwahahahaha!

This is such a simple method, and yet if a large number of people were using it, the entire system of advertising on the web would collapse.

Works on Windows too: C:\WINDOWS\SYSTEM32\DRIVERS\etc

And if you set up your private webserver to return a blank 404 page you don't see ANY error messages.

Yes, the internet ad business could be considered in danger, but people who block ads are the least likely to buy anything, so we are indirectly doing the ad business a favour by reducing their bandwidth costs and their pay-per-show expenses.

Now, if a company firewall or ISP did the same thing....

Sorry to bring back that old topic again, but I'm currently trying to solve an important problem!

The Terminal command "/etc/hosts" works fine to block entire domains, but what about a specific URL?

For exemple, if I wanna block a profil on myspace.com, does the entire domain have to be blocked? With the Terminal thats what it does : I can block myspace.com, but not only one specific profil, without affecting the accessibility to the other myspace profile.

Is there any way (maybe using the Terminal), I could block a specific URL and make it look like a "404 error" or "server overload", or anything transparent like that

OpenDNS, Mac Os's parental control and third party parental control program will only block entire domains (not URL), and at this point, the only one I found that does it is K9, but it will display a page saying "This site has been blocked by someone you know" or something like that! The teenage I'm trying to protect is not stupid and will just yell at me if he sees this kind of message!

Please help, I desperatly need to achieve this kind of transparent filtering!

Thanks for you help

Geez I just wrote a long reply but I lost it!

Sorry to bring back that old topic, but here's what I want to ask :

Is there a Terminal command or a program that will allow me to block a specific URL and NOT an entire domain??

For exemple, I wanna block a specific myspace profile, without blocking ALL myspace pages.

"/etc/hosts" Terminal command, OpenDNS, Mac Os's parental control, and 99.9% of all third parties parental control softs will block entire domains without giving us the possibility to block a specific URL.

At this point the only one I found that gives us that possibility is "K9 Web Protection", but now the problem is different : when accessing a prohibited website we get a message saying something like "K9 filtering alert, this page has been blocked because it is in your computer's "Always Block" list."

I cant let my teenager see this kind of warning, or else he'll just rush at me and accuse me! I would need this to be a little more "transparent" : like a "404 error" or "server overload" or just anything "vague" like that!

Anyone knows how I could achieve such a thing?

Any help will be very appreciated!

Filtering by URL will have to be done by the browser or a Net Nanny type program - you'll have to experiment to find one you like.

It is possible to do this kind of filtering by proxy, which has the advantage of giving you god-like powers over your network but the disadvantage of requiring god-like UNIX skills to get it running. You could create 404 returns, redirects to fuzzy kitten / axe murder / skanky porn sites, or set off the USB cattle fencer attached to the aluminum keyboard - whatever suits your parenting style.

I have used this free product called k-9 web protection and it allows for a lot of cool things when it comes to filtering. I have set it up for clients too of mine that want parental controls over their kids surfing.

http://www1.k9webprotection.com/getk...d-software.php


Download it, and then request a free license.

Like I mentionned in my previous post, this product works, but since it is not very transparent theres no way i can use it. If they ever offer us the possibility to personalize the page displayed when accessing a prohibited URL, I'll be glad to use it, but that "K9 filtering alert, this page has been blocked because it is in your computer's "Always Block" list." wont do it for old kids!

But thanks for the suggestion anyway!

Could you please put me on a trail. I dont want anything fancy like "skanky porn sites" (you are crazy LOL!!) but just some "eror 404 this page cannot be found" kind of boring message!
I,m sure it's pretty complicated to manage, but could you please put me on a trail. And from there I'll see how fast i can learn!

:p

OK sorry I must have not read your previous post all the way....


If you are running 10.5 you can enable parental controls which does some of that, and there is also a firefox add on called "Public Fox" which I also use at work and it has a built in black/white list where you can allow/disallow full URLs, but I don't use it for filtering. We have a corporate filter system at work, I just use Public Fox to lock down FireFox preferences.

Now, you can modify the /etc/hosts file I believe and put in manual redirects to 127.0.0.1 to a whole list of sites but that is a lot of leg work and has margin for error. Redirecting to the local host should produce a 404 not found error since you most likely aren't hosting any websites off of your Mac at home. However, it will clearly show that you are trying to hit 127.0.0.1 and if your kid knows that is the local host then you well, are defeating your purpose I suppose.

I work at a high school managing thousands of Macs and I have seen quite a few dedicated and smart teenagers waste all of their time at school to just figure out how to bypass something. It is funny how something that like will take up all their time but some of them won't complete their studies, but that is a whole different subject.

Back to Fasterfox for firefox. You can use that to block sites and it will redirect most likely to a 404 but if your kid is smart he will just run a web browser off a disk image or a thumb drive and bypass everything you do anyway, unless you use a system wide filtering app like K-9 web protection.

I hate to say it, but with my experience with teenagers, and I don't have any kids of my own (just have to work with them) that the best method is just talking to them. I have kids try to hack my network and the web filter every day of school non stop and no matter what I do won't stop them from trying unless I have the administration talk to them and let them know the severity of the consequences.

Privoxy is a very flexible filtering proxy, although it can be daunting to set up until you get used to it.

starter is here:

http://www.ex-parrot.com/pete/upside-down-ternet.html

He's using a proxy server to harass wireless leechers but the basics are the same.

My nightmare is over! Finally found an easy (but not free) solution!

Let me share with you guys the results of my tests!

OpenDNS, PithHelmet, the famous "etc/hosts" command on the Terminal, Northern Softwork's Hostal, Mac Os X's Parental Control and most of the traditionnal Parental control softwares ONLY ALLOW YOU TO BLOCK ENTIRE DOMAINS.

If you have young kids that you wish to protect agains general categories of websites or specific domains (but not specific URL or subdomains), all these previous softs I mentionned will do the job!

BUT

If like me you need to block a specific URL (for exemple, just one specific page on myspace.com, BUT NOT all the pages on myspace.com), you can install K9 Web Protection (for free!). Be aware that when rying to access a URL you volontary blocked, a "K9 filter alert" will be displayed, and you cannot change,redirect, or personalize that displayed page.

FINALLY

If like me you need an application that will be completely transparent when blocking a website, an application that lets you block either categories of websites, subdomains or very specific URL's, you need...

Content Barrier (Mac or PC, 30 day free trial available, or else you'll have to buy it!)

That soft is amazing, the only place you can locate it on your computer is in "My application". When accessing a prohibited URL, it lets you choose where to redirect it (in my case, for prohibited myspace.com/exemple, is automatically redirected to myspace.com) which simply looks like the page doesnt exist or a bug, or something weird but for which my teen cant blame me!

There are also many features to receive printscreens every 1 minute or 1 hour of what's happening on your computer, you can also schedual whatever you want or dont want your kid/teen to do, it's very easy to set up, and it's got more features than I'll ever need to use!

There's also one complicated/free way to accomplish this, but be prepared to read and get headaches before you ever reach your goal! Just in case you want to follow that trail here's what I had gathered :
http://www.macosxhints.com/article.p...10117003458918
http://dansguardian.org/?page=whatisdg
http://www.ex-parrot.com/pete/upside-down-ternet.html

Thanks to everyone who offered me their help and suggestion!

:)