User Tools

Site Tools


docs:guide-user:firewall:fw3_configurations:fw3_parent_controls

Parental controls

Parental control of internet access can be done in several ways:

  • Timely restriction of internet access per IP/MAC.
  • Restrict / deny / block access to certain web pages:
    • Blocking Servers by blocking Static IPs
    • Blocking Name resolution (DNS) by Adblockers
    • Blocking IPs based on their Domainnames (FQDN, Hostnames)
    • Blocking sites by using Proxy Servers

Restrict / deny / block access to certain web pages

Blocking Servers by blacklisting their IP

If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface. Assuming OpenWRT operates with a LAN and WAN zone a filter in the FORWARDING chain that rejects packets is enough. The setup is detailed at fw3 rule to block a site. ASN lists could be used to block large numbers of IPs belonging to certain companies. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.

Drawbacks:

  • To circumvent these IP based restrictions an internet proxy or TOR could be used.
  • Dynamic hosts change their IP on a regular basis, invalidating the blacklist

Blocking Name resolution (DNS) by Adblockers

This method voids DNS lookups so, for example, www.youtube.com does not generate the desired IP address. The adblock package can be used to blacklist certain domainnames and prevent the DNS server handing out the right IP. Alternatively DNSMASQ can be configured to return a NXDOMAIN answer in case a blacklisted domainname is queried. Another option is to use PiHole in the LAN and divert DNS requests to PiHole.

Drawbacks:

  • If the IP of the server is known, it can be reached directly without using DNS altogether.
  • These restrictions can be foiled quite easily by using another internet site to lookup the IP address for the site and bypassing DNS altogether.
  • If several DNS are in the LAN just changing the local settings to the unfiltered DNS renders this control useless.

Blocking IPs based on their Domainnames (FQDN, Hostnames)

Since OpenWRT in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domainnames, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. This is essential if a single domain might resolve to several IPs. For instance websites that operate with a CDN can be blocked by their name instead of finding out each and every IP the CDN might be using.

Example: Assumed you want to block everything that ends with the domainname 'example.com' or 'example.net' perform the following steps:

  • Install the package package: kmod-ipt-ipset and replace package: dnsmasq with package: dnsmasq-full: opkg update && opkg install kmod-ipt-ipset && opkg install dnsmasq-full
  • In /etc/config/dhcp add in the region config dnsmasq the option list ipset '/example.com/example.net/MyExample'. It should look as follows (without the triple-dots):
    config dnsmasq
            option domainneeded '1'
            option localise_queries '1'
            option expandhosts '1'
            option readethers '1'
            option leasefile '/tmp/dhcp.leases'
            option resolvfile '/tmp/resolv.conf.auto'
            option localservice '1'
            option rebind_protection '0'
            ...
            list ipset '/example.com/example.net/MyExample'
            ...
            option authoritative '1'
            option cachesize '1000'
            option domain 'lan'
            option logqueries '1'
  • In /etc/config/firewall add
    config ipset                                    
            option enabled '1'           
            option name 'MyExample'            
            option match 'ip'                    
            option storage 'hash'

    and now also a filter rule

    config rule                          
            option src 'lan'               
            option name 'Block Example Domains'                  
            option dest 'wan'             
            option target 'REJECT'        
            option ipset 'MyExample dest'           
            list proto 'tcp'                     
            list proto 'udp'
  • restart the firewall and DNSmasq /etc/init.d/firewall restart && /etc/init.d/dnsmasq restart
  • To observe the filtering taking place enable logging to the syslog for the DHCP server and watch the log with logread -f. Another handy command is ipset list to inspect the current IPs that where added by the DNS server to the list of domains.

Drawbacks:

  • If servers are multi-homed its not possible to distinguish in the firewall.
  • Not supported in the Webinterface, there is a project at GitHub that might be available in the future.

Blocking sites by using Proxy Servers

A proxy server like SQUID can be used to block access to websites. It can check HTTP(S) specific details. The huge benefit of this option is to have the finest level of control. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.

Drawbacks:

  • Comparatively resource hungry and somewhat difficult to run on typical OpenWRT hardware. If this setup appeals to you consider a beefier Hardware and Software like IPFire, PFSense, Untangle, OPNSense, …
  • Complex setup
  • If not everything else except the proxy is blocked, it can be circumvented.

Timely restriction of internet access

Example: Block internet access for a certain MAC address / IP address on weekdays during 21:30-07:00

Web interface

First, make sure that your router has the right time and the right timezone.

  1. Network → Firewall → Traffic Rules → New forward rule
  2. Add name for your rule, e.g. “Kids weeksdays”, “Kids weekend”
  3. Source zone: lan
  4. Destination zone: wan
  5. Click Add and edit
  6. Select Source MAC address or Source address
  7. Set Action to be Reject
  8. Select weekdays
  9. Select start/stop time
  10. Save&apply

Timely restriction of internet access via LuCI

More detailed explanations in French: step-by-step explanations with screenshots

NB: If your focus is on authorised timeslots, you can create a rule that always rejects, and add a few rules that accept for the authorised timeslots. Order the rules so as to bring Accept rules before the Reject rule.

NB: The stop time will stop kids from creating a new connection e.g. to browse one more page on Wikipedia. It will not kick out your kids if they have an existing connection e.g. in an Android game app. To enforce the stop time, you need something extra. Consider the script below, starting with cat.

NB: If you have e.g. a Guest network, this rule won't restrict your kid if/when they connect to the Guest network.

Command-line interface

Add a new firewall rule. Edit the following example code block to suit your needs and then copy-paste it into the terminal. Check for errors the service restart output!

uci add firewall rule
uci set firewall.@rule[-1].name="Kids weekdays"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].src_mac="78:BB:AA:3A:88:14"
uci set firewall.@rule[-1].dest="wan"
uci set firewall.@rule[-1].start_time="21:30:00"
uci set firewall.@rule[-1].stop_time="07:00:00"
uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
uci set firewall.@rule[-1].utc_time="0"
uci set firewall.@rule[-1].target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

Once the time is reached, the default rule order prevents closing already established connections. The rules should be reordered to resolve the issue. The last line adds this configuration file to the sysupgrade backup.

cat << "EOF" > /etc/firewall.estab
for IPT in iptables ip6tables
do
${IPT}-save -c -t filter \
| sed -e "/FORWARD.*ESTABLISHED/d;
/FORWARD.*reject/i $(${IPT}-save -c -t filter \
| sed -n -e "/FORWARD.*ESTABLISHED/p")" \
| ${IPT}-restore -c -T filter
done
EOF
 
uci -q delete firewall.estab
uci set firewall.estab="include"
uci set firewall.estab.path="/etc/firewall.estab"
uci set firewall.estab.reload="1"
uci commit firewall
/etc/init.d/firewall restart
 
echo /etc/firewall.estab >>/etc/sysupgrade.conf
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
docs/guide-user/firewall/fw3_configurations/fw3_parent_controls.txt · Last modified: 2020/06/09 19:35 by drnest