PDF English version of this tutorial.

Publication date : Feb 25, 2023, updated : Feb 25, 2023
Main author :  Emmabuntüs collective

The purpose of this manual is to explain what parental controls are under the Emmabuntüs system, and to guide parents in setting it up the CTparental application and start using it.

 

Introduction

If you want to set up parental controls on your computer running Emmabuntüs, CTparental is an excellent solution, embedded within the distribution, and which can be installed and used very easily.
CTparental uses the blacklists maintained by the University of Toulouse (South of France)

Warning :

A parental control is an aid, but will never completely replace the direct supervision of your children when they are using a computer and the dialogue to accompany them when they surf the Internet.

Installation

When you start your computer for the first time after having installed Emmabuntüs, several post-installation windows popup to help you with the customization of your system. The last one concerns the parental control:

After having read carefully the presentation text, you can check the automatic creation of accounts, the names of the children (separated by a space) and their respective passwords (also separated by a space). You can also ask for the creation of a guest account that will also be subject to parental control like the children, but whose data will be deleted at the end of each session.

You can also check the box to automatically launch the configuration interface and then validate by clicking on the OK button.

Configuration interface

Manual Launch

To launch the configuration interface, click on the small icon at the top left of the screen to open the applications menu:

Then choose the Internet category in the left panel and CTparental in the right one.

Authentication

Before launching the interface, the system will obviously ask you for the administrator password:

Of course, we are talking here about the parental account admin password.

First launch

The first time you launch CTparental, it will be permanently installed on your computer.

We start by entering the login ID we want to give to the CTparental interface administrator. For example we type ctAdmin in the field and then Enter (we can also use Tab to move on the <Ok> button, but then you need to use Enter anyway in order to confirm)

 

 

Enter the password for this account one first time:

 

 

And a second time to confirm it:

In case you did not respect the instructions concerning the format of this password, the program reminds you what they are and restarts the procedure to set the administration account.

Once this account has been created, the installation continues and you can follow its progress in the open X-terminal window:

And finally CTparental informs you that the installation has been successfully completed:

Click on the OK button and the administration window will pop-up.

Administration window

Once the administration account is created, the management of CTparental is done through a web interface (Firefox by default on Emmabuntüs) protected by the login ID and its password as defined during the installation:

Enter first the CTparental admin ID, then its password and click on the Connection button.

 

Firefox will offer to save those credentials, or not, and by pressing the drop-down arrow you can even tell it to never bother you again with that question.

Blacklist

 

 

Note:

A ‘whitelist’ allows you to control network flows by authorizing only those that are recognized and qualified beforehand. A whitelist therefore contains all the websites to which browsing is authorized.

Conversely, a ‘blacklist’ contains all the sites to which browsing is forbidden. If this can be efficient in terms of filtering Internet content so that children do not surf on forbidden sites, it can never be exhaustive when dozens of new URLs (often ephemeral) are created every second.

In this sense, the effectiveness of the whitelist in terms of parental control is clearly better than that of the blacklist.

In the upper part of this first page you can :

  • Download the latest version of the Blacklist

  • Reset the filtered categories to the default selection

  • Disable the automatic blacklist updates (not recommended)

  • Switch to the Whitelist mode

Then you can select or deselect the proposed categories, and when you click on the Init Categories button, the default selections are restored.

At the bottom of this page, you can either rehabilitate sites that were filtered by default, and filter others.
Finally, don’t forget to Save your changes before logging out.

Whitelist

But you might prefer the Whitelist mode :

In this case you will have to select the authorized categories, and possibly add other sites that you want to rehabilitate.
And do not forget to Save your changes.

Privileged group

You can access the Privileged Group page by clicking on this entry in the left panel:

You can safely ignore the service account ‘systemd-coredump’, in this context.

Schedules and timetables

You can also access the schedule and timetable page by clicking on the 4th entry of the left panel, hours of access PC and navigation time :

By default, login times are disabled, so you will need to Enable them first:

Then select the relevant account

You will then have to deselect the check box 24/7 and click the Record button in order to access the page for defining the schedules and timetables.

Then all you have to do is enter your various data in this page and click on Record.

Exiting the management interface

 

To exit this management interface, after having recorded all your changes, simply click on the Logout button located toward the top right of the window.

Now, all you have to do is quit Firefox, or continue surfing the Internet ….

Connection/Login

 

 

Now that several user accounts – protected by password – have been defined in your system, the login procedure can no longer be automatic and it will be necessary to select an account first by clicking on the small arrow in the drop-down menu:

 

 

Select your account ID in the list :

 

Then enter your password
and click on the Log in button

in order to open your own session :

Hints

New user

You mist be careful that, if later on you want to add a new child account, it wont be protected by default.

In this example, we just added Mary as a regular new desktop user, and when we re-open the CTparental graphical interface:

As you can see, mary, the new account, is part of the privileged group. You need to deselect the checkbox and click on Save changes

Grub protection

It is also strongly advised to put a password on the GRUB menu.
In a terminal enter the command: sudo CTparental -grubPon

Then define a login name (here, as an example, Xcontrol ) and twice the associated password. Warning: within the GRUB menu, the keyboard will be mapped qwerty mode.

When CTparental is done with its job, you just have to enter the exit command.

The next time you want to use the advanced options of the GRUB menu, the system will ask you to identify yourself:

before allowing you to navigate in the Recovery menu:

More information

Here after some useful commands to manage CTparental within a terminal

Warning :

The commands presented below must be executed with administrator rights, and require a certain level of expertise.

CTparental and firewall

When CTparental is installed it disables the firewall services of the distribution (ufw, iptables.service, nftables.service, netfilter,…) and replaces them by its own firewall service CTparentalfirewall.service.
Blocking an IP address for a user supervised by CTparental can be done from the parental control configuration interface.
Otherwise, to activate and configure the firewall with custom protocol or IP filtering rules for everyone, you have to activate the custom rules with :

sudo CTparental -ipton

Then by default everything will be blocked and only http, https, dns, mDNS, LLMNR, DHCP, NTP, imcp and icmpv6 protocols will be allowed to the local network and internet.
To disable them, enter :

sudo CTparental -iptoff

Blocking an IP for all users

You need to modify the file /etc/CTparental/ip-blackliste.conf

sudo nano /etc/CTparental/ip-blackliste.conf

Then apply the new rules with :

sudo CTparental -ipton

Filter protocols or add other security rules

Find out first if you use iptable or nftable by issuing the command:

sudo CTparental -v

Then depending on the result, modify the file /etc/Ctparental/iptables.conf:

sudo nano /etc/CTparental/iptables.conf

or /etc/Ctparental/nftables.conf:

sudo nano /etc/Ctparental/nftables.conf

and apply the new rules with:

sudo CTparental -v

Import/export the CTparental configuration

To export the configuration within a folder, enter the command:

sudo CTparental -exp /path/export/folder/

For example, to export the configuration within your own /home:

sudo CTparental -exp ~/exportCTP/

and to import a given configuration:

sudo CTparental -imp /path/export/folder/CTparental.conf.yy.mm.dd.tar.gz

For example:

sudo CTparental -imp ~/exportCTP/CTparental.conf.yy.mm.dd.tar.gz

Reset CTparental admin account

If you have lost the name or the password of the account created during the installation procedure, you will be able to redefine it. The following command (which requires an administrator account) will recreate the CTparental login and password:

sudo CTparental -uhtml

Other useful command lines

  • Activate CTparental:
    sudo CTparental -on
  • Disable CTparental:
    sudo CTparental -off
  • Force the blacklist update:
    sudo CTparental -dl
  • Set the automatic blacklist update (every 7 days):
    sudo CTparental -aupon
  • Disable automatic blacklist update:
    sudo CTparental -aupoff
  • Restaure the default settings of the filtering categories:
    sudo CTparental -dble

The complete command list can be found on this official page.

Wikipedia

This Wikipedia page talks about software options allowing parents to restrict content.