Inside Out

Content filters

Over the last few weeks, I have been experimenting with various content filters. The experiment is mainly geared towards a crazy idea of mine - blocking a few URIs I tend to spend lot of time on! Since the user we’re blocking has root access :), the more number of steps it takes to disable, the better it is!

I will put down a list of items I tried (in the order increasing complexity).

### Firefox content blocker

[Procon-latte](https://addons.mozilla.org/en-US/firefox/addon/1803) absolutely rocks. Set the appropriate filters. And then set the password blind-folded(**blind password** is **not** recommended, it will render firefox useless). Pretty simple :)

So procon latte actually blocks based on text, so search engine results are also blocked. Also I use Opera as my primary browser, so we are sorta back to square one!

### The hosts file

Fill in the black list URIs in /etc/hosts, redirect them to 127.0.0.1. E.g.

# 127.0.0.1 foobar.com www.foobar.com

Make things little tough for `root` to modify:

sudo chattr +i /etc/hosts

This command will block modifications to the file at file system level. So the hacker has to do a `chattr -i` before editing the hosts file.

Not good. I again broke this. Time for new approach.

### Block at DNS

I do use a dns cache on my localhost. I set it up to use opendns, and then block the related URIs. In this a dns query for the URI will return the opendns bad URI ip `208.67.219.130`.

There is a problem, my ISP uses dhcp and it updates the nameservers for each connect. The `chattr` blocks that modification. But /me does this:

dhcpcd -x # close any existing dhcp connectionchattr -i /etc/resolv.conf # allow editing this filedhcpcd # fetch me the old ip addr and updates my nameservers in resolv.conf

OK there is the `dhcpcd.conf` option to not modify `/etc/resolv.conf`. That's still easy.

### WTF! It's impossible. Thou art r00t.

The above step pretty much works, just that I need to block the dns changes. What the heck, time to figure out something in terms of those TCP/UDP/IP packets.

So all dns queries go as UDP packets with port 53. Why not block them at my system itself? Here are the iptables oneliners:

sudo iptables -I OUTPUT 1 -p udp --dport 53 -j REJECT # reject all outgoing packets on port 53sudo iptables -I OUTPUT 1 -p tcp --dport 53 -j REJECT# Allow outgoing connections to opendns nameservers only!sudo iptables -I OUTPUT 1 -p udp -d 208.67.222.222 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.222.222 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 208.67.220.220 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 208.67.220.220 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p udp -d 127.0.0.1 --dport 53 -j ACCEPTsudo iptables -I OUTPUT 1 -p tcp -d 127.0.0.1 --dport 53 -j ACCEPT

The options are pretty much self explanatory (-I insert, 1 to the first position, -p packet type, -d destination, -j jump target). To verify if the rules work, try `iptables -nvL`, it will show you how many packets are dropped.

I will probably block opendns.org configuration too, or use the blindfold password trick with that!

### More possibilities

I could've tried *dansguardian* with *squid*. But somehow, it looked like an overuse of system resources to stop a single person, and gosh I will have access to `sudo /etc/rc.d/dansguardian stop`. Whatever!

Actually it looks like Opera has a [kiosk mode](http://www.opera.com/support/mastering/kiosk/) where you can specify a filter to block all websites. I use this for a simple adblock strategy. I also had thoughts around writing a script to fetch the [Shalla's blacklists](http://www.shallalist.de/) and append them to `urlfilter.ini` for opera. The problem is with a few thousand websites, it will be definitely a *pain* later for normal browsing.

That's the current setup. Fighting with */me* is fun ;)