HOWTO best setup an adult-content blocking wifi router (?)

Cheers to everyone,

I recently spent some time to test out several ways to block adult content on my internet devices. I use a desktop, laptop and an android phone and was not very happy with maintaining some anti-porn plugins which are browser-specific and need to be installed on every device. Furthermore, they can be disabled by just one click which is too tempting for me.
I've also heard of OpenDNS but when I tried it it did not even block half of the pages I tried in about five minutes.

Luckily I found some instructions on the web to set up my wifi router with a custom firmware which allowed me to black list a self-defined set of domain names.
the approach is not perfect since it just reroutes the dns queries i.e. the domain names do not get translated into their respective IP addresses any longer and if you had the IP you could still load the web page.
So far, this however blocks 99% of Ads and all adult sites I was accustomed to.

This is how it was done (short description)

• Grab old wifi router TP-Link WR1043ND and flash it using DDWRT (custom firmware)
• Set up DDWRT via web interface as desired to manage all client devices.
  
• Store a very short startup script in the non-volatile memory of the router which is executed on every boot, downloading a larger script which finally starts a dns server using the host files. All DNS requests are routed through that locally running server.
  
• Host the script plus three host files (porn,ads,custom) on an external web server. They contain all domain names which should be blacklisted. It had not been easy to find a reasonably large host file for blocking porn.

As I can tell from the first weeks of usage this helped me to block myself successively out of P.

What are the down sides:

• The blocking functionality relies on whether the external web-server can be reached. However, the wifi router does not offer enough flash disk space to store the host files along with DDWRT, apart from that, the ads host file is being frequently updated.
• The porn host file is static, eventually some sites will emerge which are not blocked...
  
• The external web server is a security problem: if anyone gets hold on the host files and the script he/she can easily hijack my router and break into my home network.

My idea how to do it better:

• Create a custom firmware (OpenWRT) with enough space to include scripts and the porn host file (5MB)
  
• Run a web proxy which can block http content based on keywords
• In addition, feed this web proxy with AdBlock Plus rules available online

Maybe someone reading this is interested in some details or has some experience to share? I am really just interested in a self-contained router solution which does not depend on a particular IT service (like OpenDNS) or software required on client side.

 

Dear nfprogress,

would you mind elaborating a bit about your notion of "image blocking"?
I'd prefer a simple solution as well and as far as I remember pfsense it struck me as somewhat complex

I definitely want a close-to-static router setup for my home network.
To block all traffic and just whitelist some seems a good solution for a server but on my personal computer and other clients I'd need to create exhaustive whitelisting and every time I install/try something else need to touch the router.
I wonder if one could come up with something that simple that joe user could actually get it and it works okay out of the box.

Of course with blacklisting approaches one can never demand 100% coverage - if I want to see nude content / xxx sites on my setup really really badly I can still do it - but the efford would be ridiculously high - and that's what currently still helps me to prevent that from happening

 

Yes. I can mount a small USB pen and put the files there. It is possibly the most convenient way to edit/replace the host files, but beware... you'll have access to the host files and if tempted you just remove the USB key, reboot the router and your internet is unprotected!
Mounting in DDWRT is easy as it is done automatically on boot-up, just format the stick with ext2. One just needs to take care that the boot-up script waits until the mounted share is available.

After giving it some thought it is probably anyways the best approach right now as it does not rely on external sources which is potentially unsafe.

Finally I believe the best solution is to use the image builder of OpenWRT where these files can be stored permanently in the flash memory - they get compressed, too
They are however static and cannot be altered except by reflashing the device. A router with at least 8G of flash mem is required.

Edit: this gets technical. Maybe better to create a homment page and put all info there, hmm? Would be great to create an OSS anti-porn DIY kit.

 

really? so how's that possible? any router, or just selected models?

 

clevvvver Yes, you can do that. But in the end just replace the host files on the USB and your'e done anyways.
Best would be to have an encrypted drive but I need to look into that if it is doable using the base system

 

Hi there,

minor update: I just received that second tp-link router (same model, different hw revision 1.8 instead of 1.1) I ordered on ebay.
Looking fwd to do some of the previously described OpenWRT experiments on it.
Will keep you updated of the progress...

 

Next update: I installed the latest stable of OpenWrt it looks much better than DDWRT. It was very easy to setup and I don't agree with others that say the web interface looks cluttered.
Advantages:

• host files/script can be included statically; no fetching from remote server via wget neccessary
• update of ads host file is still retrieved via wget
• config changes and newly installed packages are stored permanently

Overall, it was much simpler and easier than the previous installation using DDWRT; I can probably create a custom firmware build which can be flashed directly from the stock ROM of the router!
I will publish a link as soon as I got time for this.
We can think of many more great additional features (like http proxying etc) and firewall filtering but nothing beats this solution in robustness and simplicity.

 

More news:
I checked out other methods to filter adult sites on that router of mine. These are the tools I've used:

• polipo
• privoxy
• dansguardian

There're substantial differences between methods, and all have their pros and cons:

1. dnsmasq - using host files blocking entire domains
2. dansguardian - probably the safest choice it uses content filtering, weighted keyword search, URL and domain filtering and is actively updated with rule sets
3. privoxy / polipo - a black list using regular expressions in URLs can be specified

1. is simple and fast, it just seems impossible for me to find a reliable host file for porn that is actively maintained and updated frequently. I use a static one in my OpenWrt setup. That method as of now seems to be the only one which does not slow down browsing like stupid. I've also learned how you can use a local mini http server to suppress the error messages in the blocked sites and ads. It seems convenient at least for the hardware I am currently using.

2. is slow and needs a lot of resources. this thing can even detect malware and viruses before your browser shows the page. It is highly configurable. It would be great to evaluate router HW and find what exactly is needed to run this properly. It may be that some delay cannot be avoided since the SW has to download the entire site in order to process it prior to delivering it to your browser!

3. privoxy / polipo - it helps nicely with ads, since it can match more reliably than just host files itsself. Unfortunately I couldnt find any rule sets for adult sites, it would have been nice to try that out. On the other hand it quickly exceeds my routers memory so for that some better HW is needed, too.

Conclusion:
As long as I run my current HW the best thing is to stick to an improved dnsmasq+hostfiles approach. I might combine it with a http server that suppresses error messages of ads/pages/frames which could not be loaded due to the blocking.

On the long run I will not be satisfied with this, and I am considering buying a Banana Pi Router. It has nice specs, 1G Mem, option to put there an SSD even.... resources should be sufficient to run a setup that I imagine like this:

INTERNET -> dnsmasq -> polipo -> dansguardian -> browser

dnsmasq can filter using my current hostfile setup
polipo can use large cache and is able to speed up access of pages!
In addition it can use rules to filter some URLs (works well for ads, not so well for porn)
dansguardian will filter based on content and even if some adult sites can be loaded all the imagery and the links to the actual videos are being blocked...

PS: slipped into binge mode and have to take care that setting up this filtering stuff and trying it out is not actually doing me harm... so I might give it a pause for a while!

Update: tried the blocking of error messages in the browser via uhttpd server but it is not worth the while. That doesn't work for https ads which take the majority of blocked ads. On restricted sites I do not mind an error message being displayed...

 

Another minor update:

I bought a 2nd hand Linksys WRT1200AC. This seems to be a nice device (dual core arm v7, 128MB flash, 512MB ram, USB 2/3 and eSATA) and I planned to implement there all services I need (file sync server, polipo+dansguardian, usb printer server, dnsmasq+huge host files).
Unfortunately this looks like a bit of testing and tweaking might be necessary since OpenWRT does not support it that well and all stable as the former TP-Link router model.

In fact the TP-Link WR1043ND would be a great device to use just for simple dnsmasq porn/adblocking but most regulary updated blacklists are way too big to fit in RAM. This can be accomplished using the Linksys router model though. Yet another possibility is to exchange the 32MB RAM with 64MB RAM but this would require soldering.
If anyone knows about a good porn/adult-site blacklist which is publicly downloadable and does not exceed like 2-3MB I could release my scripts, images and instructions for the TP-Link.

As of now I use a static host file for porn blocking which is already getting old and has a size of 2MB, and I checked other resources but these easily exceed 20MB of size, and I don't know of a good way to reduce the size of a host file while maintaining just the most common domains. Ideas anybody?

 

I've made a first release - https://github.com/katakombi/NFguardian
Requirements: Linux, TP-WR1043ND wireless router

 

I've released a new, much improved version. If anyone owning a OpenWRT-compatible router wants to try it out PM me... https://github.com/katakombi/NFguardian/releases

 

I didn't do anything fancy on our router at home. I casually asked my brother (IT guy) how to block stuff "in case of viruses" and then after he left, I dumped all my regular porn sites into the URL filter. It's not foolproof because all I have to do to defeat it is turn off the wireless on my phone, but it's still an extra step and sometimes that's enough. It's also pretty nice when I forget its there and then I get a big 'page not found' when I try to hit a favorite site. It's definitely saved me more than once.

 

Sure, and basically it's nothing different except that I block also ads and the xxx host list is huge.
Needless to say that there's always a way to circumvent the protection (just using google and check on the results until you find a new site which isn't blocked) but that's not the point.
Thing is I can't 'enjoy' PMO without my regular well-established resources so it elevates the relapse barrier notably

 

Just out of technical interest what is it that you use? Which router? Stock firmware? How many sites do you block? Do you have to maintain your list yourself?
I've had a hard time so far of finding reasonably sized porn host lists which get updated regularly. Yeah, I know of a few and the archives are huge, so they wouldn't fit in my routers mem.
My upper bound limit until now is ~100,000 blocked hosts (determined by try&error)...