Intro
You want to avoid that someone can browse porn or other bad content? You can simply do this with opendns. If you run your own bind DNS server for your intranet, you can also have some more fine grained control, which device has restricted acces, and which not. This is based on the IP of the device, so it can be easily circumvented, but for some environments this is hard enough.
OpenDNS
OpenDNS offers access to DNS Servers that redirect unwanted sites to a blocking page. To get access to configure the level of filtering, you have to create a account here:
https://www.opendns.com/home-internet-security/
Dynamic IPs
Most people get dynamic IPs. So OpenDNS hast to get informed, who queries. With Linux you can use ddlient. It is described here:
https://support.opendns.com/entries/23554765-Linux-IP-Updater-for-Dynamic-Networks
Filter for some, but not all internal IPs
This works well, if you run bind DNS server inside your network. You can use bind's "view" feature. A example config:
acl restricted_hosts { 192.168.178.128/25; }; view "restricted" { match-clients { restricted_hosts; }; forwarders { 208.67.222.222; # OpenDNS Servers 208.67.220.220; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; # ... more zones ... }; view "unrestricted" { match-clients { !restricted_hosts; any; }; zone "." in { type hint; file "root.hint"; }; zone "localhost" in { type master; file "localhost.zone"; }; zone "0.0.127.in-addr.arpa" in { type master; file "127.0.0.zone"; }; # ... more zones ... };
This would restict all IPs from 192.168.178.129-255 while lower IPs would be able to access the internet unrestricted.
Thanks to Joseph for pointing me to a broken link. He has a toolbox of 120 tools and tricks for the concerned parent to keep their child safe online: http://backgroundchecks.org/the-concerned-parents-toolbox-120-tools-and-tricks-to-protect-your-kids.html