Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2020/03/20 15:12] – Added instructions on how to filter FQDN torxgewinde | docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{section> | {{section> | ||
| - | Parental control of internet access can be done in several ways: | + | ===== Introduction ===== |
| - | * Timely restriction | + | * This article describes common methods to perform parental control |
| - | * Restrict / deny / block access | + | * Be sure to apply restrictions to all source zones if you are using a firewall-based method. |
| - | * Blocking Servers by blocking Static IPs | + | |
| - | * Blocking Name resolution (DNS) by Adblockers | + | |
| - | * Blocking IPs based on their Domainnames (FQDN, Hostnames) | + | |
| - | * Blocking sites by using Proxy Servers | + | |
| - | ====== Restrict / deny / block access to certain web pages ====== | + | ===== Restrict / deny / block access to certain web pages ===== |
| - | ===== Blocking | + | ==== Blocking |
| - | If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface. Assuming | + | Follow: |
| - | ASN lists could be used to block large numbers of IPs belonging to certain companies. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | + | [[docs: |
| + | |||
| + | If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. | ||
| + | It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. | ||
| + | Assuming | ||
| + | ASN lists could be used to block large numbers of IPs belonging to certain companies. | ||
| + | A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | ||
| Drawbacks: | Drawbacks: | ||
| - | * To circumvent these IP based restrictions an internet proxy or TOR could be used. | + | * To circumvent these IP based restrictions an internet proxy or Tor could be used. |
| * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | ||
| - | ===== Blocking | + | ==== Blocking |
| - | This method voids DNS lookups so, for example, '' | + | Follow: |
| + | [[docs: | ||
| + | [[docs: | ||
| + | |||
| + | This method voids DNS lookups so, for example, '' | ||
| + | Adblock | ||
| + | Alternatively | ||
| + | Another option is to use Pi-hole | ||
| Drawbacks: | Drawbacks: | ||
| Line 27: | Line 36: | ||
| * If several DNS are in the LAN just changing the local settings to the unfiltered DNS renders this control useless. | * If several DNS are in the LAN just changing the local settings to the unfiltered DNS renders this control useless. | ||
| - | ===== Blocking IPs based on their Domainnames | + | ==== Blocking IPs based on their domain names (FQDN, |
| - | Since OpenWRT in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domainnames, | + | Follow: |
| + | [[docs: | ||
| - | Example: | + | Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution |
| - | Assumed you want to block everything that ends with the domainname ' | + | This is essential if a single domain might resolve |
| - | * Install the package kmod-ipt-ipset: | + | For instance websites |
| - | * In ''/ | + | |
| - | * In ''/ | + | |
| - | option enabled ' | + | |
| - | option | + | |
| - | option match ' | + | |
| - | option storage ' | + | |
| - | option src ' | + | |
| - | option name 'Block Example Domains' | + | |
| - | option dest ' | + | |
| - | option target ' | + | |
| - | option ipset ' | + | |
| - | list proto ' | + | |
| - | list proto ' | + | |
| - | * restart | + | |
| - | * To observe | + | |
| Drawbacks: | Drawbacks: | ||
| - | * If servers are multi-homed its not possible to distinguish in the firewall. | + | * This will block all sites sharing |
| + | * Completely blocking sites that use localized domains is problematic. | ||
| - | ===== Blocking | + | ==== Blocking |
| - | A proxy server like SQUID can be used to block access to websites. It can check HTTP(S) specific details. The huge benefit of this option is to have the finest level of control. It can even distinguish in cases where a single server with a single IP has for example a blacklisted and whitelisted domain at once. | + | See also: |
| + | [[packages: | ||
| + | [[packages: | ||
| - | Drawbacks: | + | banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https:// |
| - | * Comparatively resource hungry and somewhat difficult to run on typical OpenWRT hardware. If this setup appeals to you consider a beefier Hardware and Software like IPFire, PFSense, Untangle, OPNSense, ... | + | |
| - | * Complex setup | + | |
| - | * If not everything else except the proxy is blocked, it can be circumvented. | + | |
| - | ====== Timely restriction of internet access ====== | + | <code bash> |
| - | **Example: | + | opkg update |
| + | opkg install banip luci-app-banip | ||
| + | uci set banip.global.ban_enabled=" | ||
| + | uci del_list banip.global.ban_feed=" | ||
| + | uci add_list banip.global.ban_feed=" | ||
| + | uci commit banip | ||
| + | . /usr/ | ||
| + | json_init | ||
| + | json_load_file / | ||
| + | json_add_object " | ||
| + | json_add_string " | ||
| + | json_add_string " | ||
| + | HybridNetworks/ | ||
| + | json_add_string " | ||
| + | json_close_object | ||
| + | json_dump > / | ||
| + | / | ||
| + | </ | ||
| - | ===== Web interface | + | ==== Blocking sites by using proxy servers |
| - | First, make sure that your router has the right time **and** the right timezone. | + | Follow: |
| + | [[docs: | ||
| - | <WRAP group> | + | A proxy server like [[docs: |
| - | <WRAP half column> | + | It can check HTTP(S) specific details. |
| - | | + | The huge benefit of this option is to have the finest level of control. |
| - | - Add name for your rule, e.g. "Kids weeksdays", | + | It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. |
| - | - Source zone: lan | + | |
| - | | + | |
| - | - Click //Add and edit// | + | |
| - | - Select //Source MAC address// or //Source address// | + | |
| - | - Set // | + | |
| - | - Select weekdays | + | |
| - | - Select start/stop time | + | |
| - | - Save& | + | |
| - | </ | + | |
| - | <WRAP half column> | + | Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, |
| - | {{ : | + | |
| - | </WRAP> | + | |
| - | </ | + | |
| - | More detailed explanations in French: | + | Drawbacks: |
| - | [[https:// | + | * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. |
| + | * The clients need to configure the proxy in their browser. | ||
| - | NB: If your focus is on authorised timeslots, you can create a rule that always rejects, and add a few rules that accept | + | ===== Time restriction of internet access ===== |
| + | Block internet access | ||
| - | NB: The stop time will stop kids from creating a **new** connection e.g. to browse one more page on Wikipedia. It will not kick out your kids if they have an existing connection e.g. in an Android game app. To enforce | + | <WRAP important> |
| + | * Verify that your router has the correct time and timezone. | ||
| + | * Apply the following workarounds to ensure reliable operation: | ||
| + | * [[docs: | ||
| + | | ||
| + | </ | ||
| + | |||
| + | ==== Web interface instructions ==== | ||
| + | Adjust the parameters according to your configuration. | ||
| + | |||
| + | - Navigate to **LuCI -> Network -> Firewall -> Traffic Rules**. | ||
| + | - Click **Add** and specify: | ||
| + | * Name: '' | ||
| + | * Protocol: Any | ||
| + | * Source zone: '' | ||
| + | * Destination zone: '' | ||
| + | * Action: reject | ||
| + | - (Optional) If you want to add a MAC or IP limitation, | ||
| + | * Source MAC address: '' | ||
| + | * Source IP address: '' | ||
| + | - On the **Time Restrictions** tab specify: | ||
| + | * Week Days: Monday, Tuesday, Wednesday, Thursday, Friday | ||
| + | * Start Time: '' | ||
| + | * Stop Time: '' | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| - | NB: If you have e.g. a Guest network, this rule won't restrict your kid if/when they connect | + | You can add another |
| - | ==== Command-line | + | ==== Command-line |
| Add a new firewall rule. | Add a new firewall rule. | ||
| Edit the following example code block to suit your needs and then copy-paste it into the terminal. | Edit the following example code block to suit your needs and then copy-paste it into the terminal. | ||
| Line 100: | Line 127: | ||
| <code bash> | <code bash> | ||
| + | # Configure firewall | ||
| uci add firewall rule | uci add firewall rule | ||
| - | uci set firewall.@rule[-1].name=" | + | uci set firewall.@rule[-1].name=" |
| uci set firewall.@rule[-1].src=" | uci set firewall.@rule[-1].src=" | ||
| - | uci set firewall.@rule[-1].src_mac=" | + | uci set firewall.@rule[-1].src_mac=" |
| uci set firewall.@rule[-1].dest=" | uci set firewall.@rule[-1].dest=" | ||
| uci set firewall.@rule[-1].start_time=" | uci set firewall.@rule[-1].start_time=" | ||
| uci set firewall.@rule[-1].stop_time=" | uci set firewall.@rule[-1].stop_time=" | ||
| uci set firewall.@rule[-1].weekdays=" | uci set firewall.@rule[-1].weekdays=" | ||
| - | uci set firewall.@rule[-1].utc_time=" | ||
| uci set firewall.@rule[-1].target=" | uci set firewall.@rule[-1].target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 114: | Line 141: | ||
| </ | </ | ||
| - | Once the time is reached, | + | ===== Restrict access to Wi-Fi by MAC address ===== |
| - | The rules should be reordered | + | Restrict access to your Wi-Fi by MAC address. |
| + | The primary motivation for this capability | ||
| + | Later you no longer want to allow the person to use your Wi-Fi. | ||
| + | There are several solutions to this problem with decreasing labor and effectiveness. | ||
| + | - The most comprehensive is to create a [[docs: | ||
| + | - Change the passphrase for the interfaces. | ||
| + | - Only allow/deny LAN access for devices with matching MAC addresses. | ||
| + | |||
| + | This section focuses on the last option using the wireless interface MAC filter option. | ||
| + | This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device. | ||
| + | |||
| + | ==== Web interface instructions ==== | ||
| + | - Navigate to **LuCI -> Network -> Wireless**. | ||
| + | - Click **Edit** on a selected interface. | ||
| + | - On the **MAC Address Filter** tab specify: | ||
| + | * MAC Address Filter: | ||
| + | * Allow listed only | ||
| + | * Allow all except listed | ||
| + | * MAC List: | ||
| + | * '' | ||
| + | * '' | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| + | |||
| + | ==== Command-line instructions ==== | ||
| <code bash> | <code bash> | ||
| - | cat << " | + | # Use allow-type or deny-type filter |
| - | for IPT in iptables ip6tables | + | uci set wireless.@wifi-iface[0].macfilter=" |
| - | do | + | uci set wireless.@wifi-iface[0].macfilter="deny" |
| - | ${IPT}-save -c -t filter | + | |
| - | | sed -e "/ | + | |
| - | /FORWARD.*reject/i $(${IPT}-save -c -t filter \ | + | |
| - | | sed -n -e "/ | + | |
| - | | ${IPT}-restore -c -T filter | + | |
| - | done | + | |
| - | EOF | + | |
| - | uci -q delete firewall.estab | + | # Append the MAC address to the list |
| - | uci set firewall.estab="include" | + | uci add_list wireless.@wifi-iface[0].maclist="11: |
| - | uci set firewall.estab.path="/ | + | uci add_list wireless.@wifi-iface[0].maclist="aa: |
| - | uci set firewall.estab.reload=" | + | |
| - | uci commit | + | # Check settings |
| - | / | + | uci show wireless.@wifi-iface[0] |
| - | </ | + | |
| + | # Save and apply | ||
| + | uci commit | ||
| + | wifi reload | ||
| + | </ | ||
| + | |||
| + | You need to apply this for all wireless interfaces accessible by the user. | ||
| + | Typically the 5 Ghz band is '' | ||