Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2020/07/26 22:20] – [Blocking IPs based on their domain names (FQDN, host names)] added link to DNS hijacking vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera
Line 2: Line 2:
 {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}} {{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
-Parental control of internet access can be done in several ways: +===== Introduction ===== 
-  * Timely restriction of internet access per IP/MAC+  * This article describes common methods to perform parental control of internet access. 
-  * Restrict / deny / block access to certain web pages: +  * Be sure to apply restrictions to all source zones if you are using a firewall-based method.
-    * Blocking Servers by blocking Static IPs +
-    * Blocking Name resolution (DNS) by Adblockers +
-    * Blocking IPs based on their Domainnames (FQDN, Hostnames) +
-    * Blocking sites by using Proxy Servers+
  
 ===== Restrict / deny / block access to certain web pages ===== ===== Restrict / deny / block access to certain web pages =====
-==== Blocking Servers by blacklisting their IP ==== +==== Blocking servers by blacklisting their IP ==== 
-If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface. Assuming OpenWRT operates with a LAN and WAN zone a filter in the FORWARDING chain that rejects packets is enough. The setup is detailed at [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples#block_lan-side_access_to_a_specific_site|fw3 rule to block a site]]+Follow: 
-ASN lists could be used to block large numbers of IPs belonging to certain companies. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.+[[docs:guide-user:firewall:fw3_configurations:fw3_config_examples#block_lan-side_access_to_a_specific_site|Firewall rule to block a site]] 
 + 
 +If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. 
 +It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. 
 +Assuming OpenWrt operates with a LAN and WAN zone a filter in the FORWARD chain that rejects packets is enough. 
 +ASN lists could be used to block large numbers of IPs belonging to certain companies. 
 +A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.
  
 Drawbacks: Drawbacks:
-  * To circumvent these IP based restrictions an internet proxy or TOR could be used.+  * To circumvent these IP based restrictions an internet proxy or Tor could be used.
   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist
  
-==== Blocking Name resolution (DNS) by Adblockers ==== +==== Blocking name resolution (DNS) by Adblockers ==== 
-This method voids DNS lookups so, for example, ''www.youtube.com'' does not generate the desired IP address. The [[packages:pkgdata:adblock|adblock package]] can be used to blacklist certain domainnames and prevent the DNS server handing out the right IP. Alternatively DNSMASQ can be configured to return a NXDOMAIN answer in case a blacklisted domainname is queried. Another option is to use PiHole in the LAN and divert DNS requests to PiHole.+Follow: 
 +[[docs:guide-user:services:ad-blocking|Ad blocking]], 
 +[[docs:guide-user:base-system:dhcp_configuration#dns_filtering|DNS filtering]] 
 + 
 +This method voids DNS lookups so, for example, ''www.youtube.com'' does not generate the desired IP address. 
 +Adblock can be used to blacklist certain domain names and prevent the DNS server handing out the right IP. 
 +Alternatively Dnsmasq can be configured to return a NXDOMAIN answer in case a blacklisted domain name is queried. 
 +Another option is to use Pi-hole in the LAN and divert DNS requests to Pi-hole.
  
 Drawbacks: Drawbacks:
Line 28: Line 37:
  
 ==== Blocking IPs based on their domain names (FQDN, host names) ==== ==== Blocking IPs based on their domain names (FQDN, host names) ====
 +Follow:
 +[[docs:guide-user:firewall:fw3_configurations:dns_ipset|Filtering traffic with IP sets by DNS]]
 +
 Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall.
 This is essential if a single domain might resolve to several IPs. This is essential if a single domain might resolve to several IPs.
 For instance websites that operate with a CDN can be blocked by their name instead of finding out each and every IP the CDN might be using. For instance websites that operate with a CDN can be blocked by their name instead of finding out each and every IP the CDN might be using.
  
-An example to block domains ''example1.com''''example2.com'' and all of their subdomains.+Drawbacks: 
 +  * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp>Content_delivery_network|CDNs]]. 
 +  * Completely blocking sites that use localized domains is problematic. 
 + 
 +==== Blocking services with banIP ==== 
 +See also: 
 +[[packages:pkgdata:banip]], 
 +[[packages:pkgdata:luci-app-banip]] 
 + 
 +banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https://github.com/HybridNetworks/whatsapp-cidr|HybridNetworks/whatsapp-cidr]].
  
 <code bash> <code bash>
-# Install packages 
 opkg update opkg update
-opkg remove dnsmasq +opkg install banip luci-app-banip 
-opkg install dnsmasq-full ipset +uci set banip.global.ban_enabled="1
- +uci del_list banip.global.ban_feed="whatsapp
-# Configure IP sets for domains to block +uci add_list banip.global.ban_feed="whatsapp
-uci -q delete firewall.block +uci commit banip 
-uci set firewall.block="ipset" +/usr/share/libubox/jshn.sh 
-uci set firewall.block.name="block+json_init 
-uci set firewall.block.family="ipv4+json_load_file /etc/banip/banip.custom.feeds 2> /dev/null 
-uci set firewall.block.storage="hash+json_add_object "whatsapp
-uci set firewall.block.match="ip" +json_add_string "descr" "WhatsApp CIDR
-uci -q delete firewall.block6 +json_add_string "url_4" "https://raw.githubusercontent.com/\ 
-uci set firewall.block6="ipset" +HybridNetworks/whatsapp-cidr/main/WhatsApp/whatsapp_cidr_ipv4.txt
-uci set firewall.block6.name="block6" +json_add_string "rule_4" "/^[^#]/{print \$1\",\"}
-uci set firewall.block6.family="ipv6" +json_close_object 
-uci set firewall.block6.storage="hash+json_dump > /etc/banip/banip.custom.feeds 
-uci set firewall.block6.match="ip" +/etc/init.d/banip restart
- +
-# Block forward traffic with destination matching IP sets +
-uci -q delete firewall.block_fwd +
-uci set firewall.block_fwd="rule+
-uci set firewall.block_fwd.name="Block-Example-Domains" +
-uci set firewall.block_fwd.src="lan" +
-uci set firewall.block_fwd.dest="wan" +
-uci set firewall.block_fwd.family="ipv4" +
-uci set firewall.block_fwd.proto="all" +
-uci set firewall.block_fwd.ipset="block dest" +
-uci set firewall.block_fwd.target="REJECT" +
-uci -q delete firewall.block6_fwd +
-uci set firewall.block6_fwd="rule+
-uci set firewall.block6_fwd.name="Block-Example-Domains" +
-uci set firewall.block6_fwd.src="lan" +
-uci set firewall.block6_fwd.dest="wan+
-uci set firewall.block6_fwd.family="ipv6" +
-uci set firewall.block6_fwd.proto="all" +
-uci set firewall.block6_fwd.ipset="block6 dest" +
-uci set firewall.block6_fwd.target="REJECT" +
-uci commit firewall +
-/etc/init.d/firewall restart +
- +
-# Configure domains to block +
-uci -q delete dhcp.dnsmasq[0].ipset +
-uci add_list dhcp.dnsmasq[0].ipset="/example1.com/block,block6" +
-uci add_list dhcp.dnsmasq[0].ipset="/example2.com/block,block6" +
-uci commit dhcp +
-/etc/init.d/dnsmasq restart+
 </code> </code>
  
-See also: [[docs:guide-user:services:dns:intercept|DNS hijacking]]+==== Blocking sites by using proxy servers ===== 
 +Follow: 
 +[[docs:guide-user:services:proxy:overview|Proxy server overview]]
  
-To observe the filtering taking place enable logging to the syslog for the DHCP server and watch the log with ''logread -f''. +A proxy server like [[docs:guide-user:services:proxy:proxy.squid|Squid]] or [[docs:guide-user:services:proxy:tinyproxy|Tinyproxy]] can be used to block access to websites
-Another handy command is ''ipset list'' to inspect the current IPs that where added by the DNS server to the list of domains+It can check HTTP(S) specific details. 
- +The huge benefit of this option is to have the finest level of control
-Drawbacks: +It can even distinguish in cases where single server with a single IP runs for example a blacklisted and whitelisted domain at once.
-  * If servers are multi-homed its not possible to distinguish in the firewall+
-  * Not supported in the Webinterface, there is project at [[https://github.com/lvqier/luci-app-dnsmasq-ipset|GitHub]] that might be available in the future.+
  
-==== Blocking sites by using Proxy Servers ===== +Squid offers many features like SNI HTTPS based filtering, SSL-bump and spliceHowever, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websitesas wellFor parental control, due to ease of setup and low RAM/Flash requirements, consider Tinyproxy first.
-A proxy server like SQUID can be used to block access to websitesIt can check HTTP(Sspecific detailsThe huge benefit of this option is to have the finest level of control. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.+
  
 Drawbacks: Drawbacks:
-  * Comparatively resource hungry and somewhat difficult to run on typical OpenWRT hardware. If this setup appeals to you consider a beefier Hardware and Software like IPFire, PFSense, Untangle, OPNSense, ... +  * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. 
-  * Complex setup +  * The clients need to configure the proxy in their browser.
-  * If not everything else except the proxy is blocked, it can be circumvented.+
  
-===== Timely restriction of internet access ===== +===== Time restriction of internet access ===== 
-**Example:** Block internet access for a certain MAC address / IP address on weekdays during 21:30-07:00+Block internet access for MAC or IP addresses (or everyone) on week days during specific time interval.
  
-==== Web interface ==== +<WRAP important> 
-First, make sure that your router has the right time **and** the right timezone. +  * Verify that your router has the correct time and timezone. 
- +  * Apply the following workarounds to ensure reliable operation: 
-<WRAP group> +    * [[docs:guide-user:firewall:fw3_configurations:dns_ipset#established_connections|Reorder firewall rules]] to enforce time restrictions for already established connections
-<WRAP half column> +    * [[docs:guide-user:base-system:system_configuration#daylight_saving_time|Reload kernel timezone]] to handle DST-related changes.
-  - //Network -> Firewall -> Traffic Rules -> New forward rule// +
-  Add name for your rule, e.g"Kids weeksdays", "Kids weekend" +
-  Source zonelan +
-  Destination zonewan +
-  - Click //Add and edit// +
-  - Select //Source MAC address// or //Source address// +
-  - Set //Action// to be //Reject// +
-  Select weekdays +
-  - Select start/stop time +
-  - Save&apply+
 </WRAP> </WRAP>
  
-<WRAP half column> +==== Web interface instructions ==== 
-{{ :media:docs:howto:firewall_-_parental_control_settings_via_luci.png?direct&0x400 |Timely restriction of internet access via LuCI}} +Adjust the parameters according to your configuration.
-</WRAP> +
-</WRAP> +
- +
-More detailed explanations in French: +
-[[https://www.rezine.org/documentation/routeur-openwrt/#index1h1|step-by-step explanations with screenshots]] +
- +
-NB: If your focus is on authorised timeslots, you can create a rule that always rejects, and add a few rules that accept for the authorised timeslots. Order the rules so as to bring Accept rules before the Reject rule.+
  
-NB: The stop time will stop kids from creating a **new** connection e.g. to browse one more page on WikipediaIt will not kick out your kids if they have an existing connection e.gin an Android game app. To enforce the stop timeyou need something extra. Consider the script belowstarting with cat+  - Navigate to **LuCI -> Network -> Firewall -> Traffic Rules**. 
 +  - Click **Add** and specify: 
 +    * Name: ''Filter-Parental-Controls'' 
 +    * Protocol: Any 
 +    * Source zone: ''lan'' 
 +    * Destination zone: ''wan'' 
 +    * Action: reject 
 +  - (Optional) If you want to add a MAC or IP limitation, on the **Advanced Settings** tab specify: 
 +    * Source MAC address: ''00:11:22:33:44:55'' 
 +    * Source IP address: ''192.168.1.2'' 
 +  - On the **Time Restrictions** tab specify: 
 +    * Week Days: MondayTuesdayWednesday, Thursday, Friday 
 +    * Start Time: ''21:30:00'' 
 +    * Stop Time: ''07:00:00'' 
 +  - Click **Save**, then **Save & Apply**.
  
-NB: If you have e.g. a Guest network, this rule won't restrict your kid if/when they connect to the Guest network.+You can add another rule to apply time restrictions on weekend.
  
-==== Command-line interface ====+==== Command-line instructions ====
 Add a new firewall rule. Add a new firewall rule.
 Edit the following example code block to suit your needs and then copy-paste it into the terminal. Edit the following example code block to suit your needs and then copy-paste it into the terminal.
Line 141: Line 127:
  
 <code bash> <code bash>
 +# Configure firewall
 uci add firewall rule uci add firewall rule
-uci set firewall.@rule[-1].name="Kids weekdays"+uci set firewall.@rule[-1].name="Filter-Parental-Controls"
 uci set firewall.@rule[-1].src="lan" uci set firewall.@rule[-1].src="lan"
-uci set firewall.@rule[-1].src_mac="78:BB:AA:3A:88:14"+uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55"
 uci set firewall.@rule[-1].dest="wan" uci set firewall.@rule[-1].dest="wan"
 uci set firewall.@rule[-1].start_time="21:30:00" uci set firewall.@rule[-1].start_time="21:30:00"
 uci set firewall.@rule[-1].stop_time="07:00:00" uci set firewall.@rule[-1].stop_time="07:00:00"
 uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri" uci set firewall.@rule[-1].weekdays="Mon Tue Wed Thu Fri"
-uci set firewall.@rule[-1].utc_time="0" 
 uci set firewall.@rule[-1].target="REJECT" uci set firewall.@rule[-1].target="REJECT"
 uci commit firewall uci commit firewall
Line 155: Line 141:
 </code> </code>
  
-Once the time is reached, the default rule order prevents closing already established connections+===== Restrict access to Wi-Fi by MAC address ===== 
-The rules should be reordered to resolve the issue.+Restrict access to your Wi-Fi by MAC address. 
 +The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home
 +Later you no longer want to allow the person to use your Wi-Fi.
  
 +There are several solutions to this problem with decreasing labor and effectiveness.
 +  - The most comprehensive is to create a [[docs:guide-user:network:wifi:guestwifi:start|guest Wi-Fi]].
 +  - Change the passphrase for the interfaces.
 +  - Only allow/deny LAN access for devices with matching MAC addresses.
 +
 +This section focuses on the last option using the wireless interface MAC filter option.
 +This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device.
 +
 +==== Web interface instructions ====
 +  - Navigate to **LuCI -> Network -> Wireless**.
 +  - Click **Edit** on a selected interface.
 +  - On the **MAC Address Filter** tab specify:
 +    * MAC Address Filter:
 +      * Allow listed only
 +      * Allow all except listed
 +    * MAC List:
 +      * ''11:22:33:44:55:66''
 +      * ''aa:bb:cc:dd:ee:ff''
 +  - Click **Save**, then **Save & Apply**.
 +
 +==== Command-line instructions ====
 <code bash> <code bash>
-Reorder iptables/ip6tables rules +Use allow-type or deny-type filter 
-cat << "EOF" > /etc/firewall.estab +uci set wireless.@wifi-iface[0].macfilter="allow
-for IPT in iptables ip6tables +uci set wireless.@wifi-iface[0].macfilter="deny"
-do +
-${IPT}-save -c -t filter \ +
-| sed -"/FORWARD.*ESTABLISHED/d; +
-/FORWARD.*reject/i $(${IPT}-save -c -t filter \ +
-| sed -n -e "/FORWARD.*ESTABLISHED/p")+
-| ${IPT}-restore -c -T filter +
-done +
-EOF+
  
-Enable the reordering script +Append the MAC address to the list 
-uci -q delete firewall.estab +uci add_list wireless.@wifi-iface[0].maclist="11:22:33:44:55:66
-uci set firewall.estab="include+uci add_list wireless.@wifi-iface[0].maclist="aa:bb:cc:dd:ee:ff"
-uci set firewall.estab.path="/etc/firewall.estab" +
-uci set firewall.estab.reload="1" +
-uci commit firewall +
-/etc/init.d/firewall restart+
  
-Back up the reordering script +Check settings 
-cat << EOF >> /etc/sysupgrade.conf +uci show wireless.@wifi-iface[0] 
-/etc/firewall.estab + 
-EOF +# Save and apply 
-</code>+uci commit wireless 
 +wifi reload 
 +</code>  
 + 
 +You need to apply this for all wireless interfaces accessible by the user. 
 +Typically the 5 Ghz band is ''@wifi-iface[0]'' and the 2.4 Ghz band is ''@wifi-iface[1]''.
  
  • Last modified: 2023/10/14 05:53
  • by vgaetera