I understand, but as if there are rules to block pornographic videos, there must be some rule to block pornographic images of ANNIE HENTAI.Blocking is never the answer, they will allways find a way.
It's better to educate and to supervise until a certain age. When they reach puberty you just have to learn to trust them.
Ok, excuse me, so I block the pornographic videosYou didn't read what I wrote, did you? You can ignore the last sentence, but the rest stays. There's nothing to work with, you didn't provide any useful info.
This will no longer work as most web browsers now default to using DNS over HTTPS to increase user privacy. That rule is for classic DNS - it would have worked before DNS over HTTPS came out, but is now almost useless. There is no way to construct a rule that will match DNS over HTTPS traffic in that same way.add action=dst-nat chain=dstnat comment="block porn" dst-port=53 protocol=udp src-address-list="BLOCK PORN" to-addresses=208.67.222.123 to-ports=53
Too funny Jotne I thought this thread was about blocking porn, not facilitating the access to porn! ;-PTurn off safe search on your google search
Do a search for example for "sex nude"
Select picture.
To block this, you need to have 100% control of the PC.
You can block google.com, but then just use bing.com instead. Same problem.
Good one.most web browsers now default to using DNS over HTTPS to increase user privacy.
Well it is true - increasing user privacy is the main goal of it. So in this case, the aim is to increase the privacy of the son, and give his father less ability to see what his son is doing.Good one.
/s
The chain is as follows:Is untangle applied at the router lever or on each PC?
I have not done this using MikroTik Routers ... I have done this for a number of families using Ubiquiti EdgeRoutr-X and Untangle ... To prevent porn some families will pay the price without hesitation but most of these are well-to-do families. Its not complicated once you learn how ... yes it takes time to learn and I do not believe that RB devices would be a problem since they are extensible.It looks rather complex, have you managed to figure out how to place inline in a bridge with common vlan filtering setups??
Can this block porn when you do a google search for "sex nude" and search filter is turned off?You can block porn by using a solution like Untangle running in conjunction with your RB Router ...
The Untangle admin will never turn Web Filter off ,,,, the level of sophistication is significant:Can this block porn when you do a google search for "sex nude" and search filter is turned off?
How should Untangle see the different from a search fro "Nasa" or for "sex"?
The Link above provides excellent additional informationWeb Filter monitors HTTP and HTTPS traffic on your network to filter and log web activities and block inappropriate content. Web Filter also appeals to customers who require an added level of protection or are subject to regulations, for example Web Filter helps libraries comply with the Children's Internet Protection Act). Need to block Pornography or Hate Speech on your network?
Traffic Flow
When scanning traffic, Web Filter evaluates the pass lists, block lists, categories, and rules at two distinct points of the HTTP transaction. The first evaluation happens after the request is received from the client and before it is forwarded to the server. The second is after the response is received from the server and before it is passed back to the client. This allows a high degree of filtering and control over both resources that are requested, and content that is returned in response.
So this solution does not work if you do not have 100% control of all clients in the network.The Untangle admin will never turn Web Filter off ,,,, the level of sophistication is significant:
Yes but you have to buy an untangle box and put it as your router or inline on the LAN as a conduit to the WAN, and you have to pay a monthly fee.So untangle will help here? (I have not looked at it)
Untangle can also do man-in-the-middle SSL decryption and re-encryption, like Palo Alto and Fortinet devices. You have to trust the certificate of course in order for this to work properly without throwing scary errors to the user.An this will open google search (https/quic) packets and block search for "sex nude"?
How can I the trust https?
I can understand how this can block sites, but not some part of data from a site.
It will not help OP that like to do it with a MT Router.
So then you need to have control of the clients (PC/Phone ++++). Not for any home/smal business network.Untangle can also do man-in-the-middle SSL decryption and re-encryption, like Palo Alto and Fortinet devices. You have to trust the certificate of course in order for this to work properly without throwing scary errors to the user.
In all of my Untangle installations non of the families permits their children to have cell phones. Yes it is strictly enforced because those families understand the environment. Untangle is very effective.So then you need to have control of the clients (PC/Phone ++++). Not for any home/smal business network.
And for home network, kids just connect to mobile network if you start to block anything.
Best word as far in this thread.True, better to educate than to deny because deny doesn't work in our society especially if you have money.
Also a good comment Friends share their mobil net.I guess they don't permit their children to have friends either? Because it they do, whole thing is in vain.
How old are your children and what country are you in?In all of my Untangle installations non of the families permits their children to have cell phones.
###### Disable Malware and Adult Content using Cloudflare DNS: https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
/ip dhcp-client set [ find interface=ether1 ] use-peer-dns=no
/ipv6 dhcp-client set [ find interface=ether1 ] use-peer-dns=no
# disable malware and adult content
/ip dns set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003
/ip dns cache flush
Yes, any fresh OS and browser is able to do DoH. I've successfully used deterrence for this, by announcing that porn is blocked with additional rules to automatically block out any device that tries to get past the restriction. It works, no technical blocking rules needed if users believeSome clients are using DoH/DoT and will not use normal DNS server at all. (example iOS >=14)
https://paulmillr.com/posts/encrypted-dns/
However, you can block access to (known) DoH-Server IPs. Which then forces fail-back to standard DNS.There is no way to construct a rule that will match DNS over HTTPS traffic in that same way.add action=dst-nat chain=dstnat comment="block porn" dst-port=53 protocol=udp src-address-list="BLOCK PORN" to-addresses=208.67.222.123 to-ports=53
No.Turn off safe search on your google search
You can block google.com, but then just use bing.com instead. Same problem.
You are correct, when stating "nearly". But it is much closer to 100%, as your comments suggest.It was just to show that trying to block some are more complicated and nearly impossible today.
If your network cannot control all of its networked clients then porn connot be blocked or dropped ….So please show me a solution that are up to 100% secure without controlling the clients.
Can't be done.How do I block pornographic images in my RB?
Obviously, you did not read my post. Or, you did not understand. Then it does not make sense, to explain more details to you, regardingIn Turkey they blocked various sites, like Wikipedia. DoH fixed access to it.
So please show me a solution that are up to 100% secure without controlling the clients.
At first glance, part of it contains a commercial version of squid, to intercept http(s). Impossible to be done on MT, but, as I wrote already, to be done yourself on openwrt device, or small Linux box. Which must run within network of clients, and installed to "see" all traffic.@Jotne
Very comprehensive how web filter works in untangle https://wiki.untangle.com/index.php/Web_Filter
This is what I was looking for. Since you need to do some with the clients, this is more or less the same as how Palo Alto or Forcepoint works.Intercept of https and de-crypt/ inspect/ en-crypt requires cert installs on clients, as decribed.
1), 3) Not shure, that you really understand: Messing around with certs only required when blocking https://_URLs_ . For ISP,/hotels/shops/home usage. blockage of porn sites good enough. I did several variants of simple clones of openDNS for various WISPs, for them not to pay royalties for commercial use of openDNS.1) This is what I was looking for. Since you need to do some with the clients, this is more or less the same as how Palo Alto or Forcepoint works.Intercept of https and de-crypt/ inspect/ en-crypt requires cert installs on clients, as decribed.
Only a solution for company that has 100% controls of their clients. Not for ISP/hotells/shops/home user that have uncontrolled clients.
2) Blocking DoH by IP (firewall) only possible in some degree. I can just set up an DoH server at any VPS senter and bypass it.
3) This also needs a dedicated IT departement. White list pages that can not be open, or should not be open like banking. TV and other devices that needs internet (Netflix) that do not handle certificates. +++
This is wrong generalization.Porn is unblockable.
I would say closer to 80%, not 99.9%Correct is: "Porn is not 100% blockable, but 99.9%". Assuming proper knowledge and tools, of course.
And you are off topic again.Bad example: Various methods to force "Safe Search" for bing, google, etc. For details, google "How to force safe search google".
Agree with @rextended the OP left long ago. Content filter is always a game of whack-a-mole, so nothing is going to be 100%.... that this is not possible on Mikrotik, running RoS. In case, the mikrotik is running openwrt, you can do it.
Go to your nextdns account settings> parental control> categories > add "porn" to the blocked category, then enable "safe search" and lastly enable "block bypass methods'(/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=tcp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.88.1 to-ports=53 protocol=udp dst-port=53)
This solution is as far as 99.9% as it can get. Just google on how to ignore the Force Safe Search and you are done.You are wrong, in regards regarding clients: "Force Safe Search" is possible _WITHOUT_ doing anything on the clients.
Until someone changes the math, 100% is not identical to 99.9_%,Correct is: "Porn is not 100% blockable, but 99.9%"
I think my reference to "whack-a-mole" requires a visual since it's in-line with @Jonte's thoughts:Yes, you can block some with DNS, yes you can block some with IP, Yes you can block some more with Safe Search and you can even block more with control of the clients.
All I meant by "DNS intercept road" was the approach of trying to force clients to use the Mikrotik routers DNS, typically by setting DHCP to only use the Mikrotik with some mix of firewall mangle rules if you to cover more (and certainly not ALL cases). None will be even close 100% – and maybe 0% for even a lightly skilled user who wants to bypass the restrictions." ... But if you're going down the DNS intercept road, this would be another stop I'd imagine."
1,2) Sorry, you are wrong again. The methods proposed only disable safe search, in case it is enabled in browser. Not applicable to the name server based method.1) Just google on how to ignore the Force Safe Search and you are done.
2) Or you can just change browser.
3) Again: Without 100% control of all clients, you can not block porn.
4) @reinerotto What are you trying to defend here with all this posts? That its easy to to block porn with RotuerOS?
Perhaps write a useful post sharing your enlightened config that solves all these problems?What are you trying to prove?
You still did not answer my question, how you can you claim, 100% control about clients is required, to block porn.I do not spread wrong information.
First of all, the fact, that you still did not provide an argument, why 100% control of user device is required to block porn, confirms, that you have none.@reinerotto
To solve this discussion. Give me a VPN to a site that you control and is porn secure, and I can send you some print screen show what I can get when using your VPN. (As long as you have standard usable open net. Not all IP blocked.)
Ok, again these stupid grammar games just for morons.The statement "porn is unblockable" is wrong already, when at least ONE porn site is automatically recognized and blocked.