[Discuss] Restricting what neko can access/host safety

[Toucan-Sam]

TL;DR: Enforce DNS DOH settings in Firefox policies and use OpenDNS/NextDNS/etc to filter what you want/don't want.

Not so much a problem as just some solutions I wanted to share.

I'm currently hosting an instance of Neko to use with friends for services that don't support any 'watch together' style features or YouTube or whatever. So nurdism, thank you. (Avoiding tag to avoid spam). Has definitely made lockdown a little bit more comfortable. Also to everyone in #21 , that was super useful.

My biggest problem was ensuring that I could leave neko running even while I wasn't around and it wasn't going to get me in trouble. eg, friends weren't going to "tee heee heee, lets look at illegal stuff on Toucan's connection because it'd be a great prank to get Toucan charged with _____!".

My solution to this is to use a 3rd party DNS provider, like OpenDNS or NextDNS with Firefox's DOH policy to A) allow me filter things and B) let me do it without having to modify the container when it gets updated automatically by pyouroboros/ouroboros.

So here's my docker-compose:

---
version: '3'
services:
  neko:
    container_name: neko
    image: nurdism/neko:latest
    shm_size: 6gb
    environment:
      - NEKO_PASSWORD=$PASS
      - NEKO_PASSWORD_ADMIN=$ADMIN
      - NEKO_NAT1TO1=$NAT-IP
      - NEKO_URL=https://www.google.com
    volumes:
      - "/path/to/policies.json:/usr/lib/firefox-esr/distribution/policies.json"
    restart: unless-stopped
    ports:
     - "8080:8080"
     - "59000-59100:59000-59100/udp"

And here is the customized bit of my policies.json (neko provided policies.json here)

{
  "policies": {
    "DNSOverHTTPS": {
       "Enabled":  true,
       "ProviderURL": "https://doh.familyshield.opendns.com/dns-query",
       "Locked": true
     },
...
  }
}

Obviously enabled and locked so sneaky sneaky friends can't turn it off.

At this point, you can log into your account on opendns.com, add a new network, and manage what categories are filtered/managed. If you have a dynamic IP, make sure you're running one of OpenDNS' update scripts otherwise if your IP changes the filters will stop working.

Via OpenDNS I'm blocking most things, but have manually added 'Never Block' to some YouTube domains (below) so I can block the 'Video Sharing' category and instead whitelist just the ones I'm comfortable with.

ggpht.com
google.com
googleapis.com
googlevideo.com
youtube.com
youtube.l.google.com
ytimg.com
ytimg.l.google.com

This seems to let YouTube function normally.

I would much rather have friends saying "oh, this site didn't work, can you take a look" than the police knocking on my door asking what my hobbies were.

Anyway, thought I'd share in case anyone else had the same concerns or if anyone else has any other simple solutions to this. It doesn't have to be 100%, but if I do get a knock on the door I'd like to be able to show evidence that I actively tried to prevent it and was not simply an accomplice.

For those of you that say "good friends wouldn't do that"... I don't think they would, but I'd just rather not open that door to begin with. :)

[m1k1o]

I am using proxy, might help with your problem. It is set up in policies.json. Locked is true, so this proxy is enforced and can't be turned off.

{
  "policies": {
    "Proxy": {
      "Mode": "manual",
      "HTTPProxy": "proxy:3128",
      "UseHTTPProxyForAllProtocols": true,
      "Locked": true
    }
   ...
  }
}

I'm running separate container, where I have installed squid with openvpn. All of my traffic is routed through VPN, therefore I am not blocking any of it. But if you don't want to use VPN and want to just set up whitelisted domains, squid can do that.

[m1k1o]

Or this could be alternative way to do it without aditional 3rd party providers or another containers:

{
  "policies": {
    "WebsiteFilter": {
      "Block": ["<all_urls>"],
      "Exceptions": ["http://google.com/*"]
    },
    ...
  }
}

[Toucan-Sam]

Both good options. Thanks!
Personally happy with the managed DNS option, but definitely see the value in those two choices. Will definitely suit someone. Maybe we should put these on a doco or wiki page somewhere?