Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2020/08/26 18:59] – section header edit dturvene | docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera | ||
|---|---|---|---|
| Line 2: | Line 2: | ||
| {{section> | {{section> | ||
| - | Parental control of internet access can be done in several ways: | + | ===== Introduction ===== |
| - | * Timely restriction | + | * This article describes common methods to perform parental control |
| - | * Restrict / deny / block access | + | * Be sure to apply restrictions to all source zones if you are using a firewall-based method. |
| - | * Blocking Servers by blocking Static IPs | + | |
| - | * Blocking Name resolution (DNS) by Adblockers | + | |
| - | * Blocking IPs based on their Domainnames (FQDN, Hostnames) | + | |
| - | * Blocking sites by using Proxy Servers | + | |
| - | + | ||
| - | If you have additional | + | |
| ===== Restrict / deny / block access to certain web pages ===== | ===== Restrict / deny / block access to certain web pages ===== | ||
| - | ==== Blocking | + | ==== Blocking |
| Follow: | Follow: | ||
| [[docs: | [[docs: | ||
| If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. | If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. | ||
| - | It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface. | + | It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. |
| - | Assuming | + | Assuming |
| ASN lists could be used to block large numbers of IPs belonging to certain companies. | ASN lists could be used to block large numbers of IPs belonging to certain companies. | ||
| A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | ||
| Drawbacks: | Drawbacks: | ||
| - | * To circumvent these IP based restrictions an internet proxy or TOR could be used. | + | * To circumvent these IP based restrictions an internet proxy or Tor could be used. |
| * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | ||
| - | ==== Blocking | + | ==== Blocking |
| Follow: | Follow: | ||
| [[docs: | [[docs: | ||
| Line 33: | Line 27: | ||
| This method voids DNS lookups so, for example, '' | This method voids DNS lookups so, for example, '' | ||
| - | Adblock can be used to blacklist certain | + | Adblock can be used to blacklist certain |
| - | Alternatively | + | Alternatively |
| - | Another option is to use PiHole | + | Another option is to use Pi-hole |
| Drawbacks: | Drawbacks: | ||
| Line 44: | Line 38: | ||
| ==== Blocking IPs based on their domain names (FQDN, host names) ==== | ==== Blocking IPs based on their domain names (FQDN, host names) ==== | ||
| Follow: | Follow: | ||
| - | [[docs: | + | [[docs: |
| Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. | Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. | ||
| Line 51: | Line 45: | ||
| Drawbacks: | Drawbacks: | ||
| + | * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp> | ||
| * Completely blocking sites that use localized domains is problematic. | * Completely blocking sites that use localized domains is problematic. | ||
| - | * Missing web interface support, but there is a [[https:// | ||
| - | ==== Blocking sites by using Proxy Servers | + | ==== Blocking services with banIP ==== |
| + | See also: | ||
| + | [[packages: | ||
| + | [[packages: | ||
| + | |||
| + | banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https:// | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install banip luci-app-banip | ||
| + | uci set banip.global.ban_enabled=" | ||
| + | uci del_list banip.global.ban_feed=" | ||
| + | uci add_list banip.global.ban_feed=" | ||
| + | uci commit banip | ||
| + | . / | ||
| + | json_init | ||
| + | json_load_file / | ||
| + | json_add_object " | ||
| + | json_add_string " | ||
| + | json_add_string " | ||
| + | HybridNetworks/ | ||
| + | json_add_string " | ||
| + | json_close_object | ||
| + | json_dump > / | ||
| + | / | ||
| + | </ | ||
| + | |||
| + | ==== Blocking sites by using proxy servers | ||
| Follow: | Follow: | ||
| - | [[docs: | + | [[docs: |
| - | A proxy server like SQUID can be used to block access to websites. | + | A proxy server like [[docs: |
| It can check HTTP(S) specific details. | It can check HTTP(S) specific details. | ||
| The huge benefit of this option is to have the finest level of control. | The huge benefit of this option is to have the finest level of control. | ||
| It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. | It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. | ||
| + | |||
| + | Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, | ||
| Drawbacks: | Drawbacks: | ||
| - | | + | * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. |
| - | * Complex setup | + | * The clients need to configure the proxy in their browser. |
| - | | + | |
| - | ===== Timely | + | ===== Time restriction of internet access ===== |
| - | **Example: | + | Block internet access for MAC or IP addresses (or everyone) |
| - | ==== Web interface ==== | + | <WRAP important> |
| - | First, make sure that your router has the right time **and** the right timezone. | + | * Verify |
| - | + | | |
| - | <WRAP group> | + | * [[docs: |
| - | <WRAP half column> | + | * [[docs: |
| - | | + | |
| - | - Add name for your rule, e.g. "Kids weeksdays", | + | |
| - | - Source zone: lan | + | |
| - | | + | |
| - | - Click //Add and edit// | + | |
| - | - Select //Source MAC address// or //Source address// | + | |
| - | - Set // | + | |
| - | | + | |
| - | - Select start/stop time | + | |
| - | - Save& | + | |
| </ | </ | ||
| - | <WRAP half column> | + | ==== Web interface instructions ==== |
| - | {{ : | + | Adjust the parameters according to your configuration. |
| - | </ | + | |
| - | </ | + | |
| - | More detailed explanations in French: | + | - Navigate to **LuCI -> Network -> Firewall -> Traffic Rules**. |
| - | [[https://www.rezine.org/ | + | - Click **Add** and specify: |
| + | * Name: '' | ||
| + | * Protocol: Any | ||
| + | * Source zone: '' | ||
| + | * Destination zone: '' | ||
| + | * Action: reject | ||
| + | - (Optional) If you want to add a MAC or IP limitation, on the **Advanced Settings** tab specify: | ||
| + | * Source MAC address: '' | ||
| + | * Source IP address: '' | ||
| + | | ||
| + | * Week Days: Monday, Tuesday, Wednesday, Thursday, Friday | ||
| + | * Start Time: '' | ||
| + | * Stop Time: '' | ||
| + | | ||
| - | NB: If your focus is on authorised timeslots, you can create a rule that always rejects, and add a few rules that accept for the authorised timeslots. Order the rules so as to bring Accept rules before the Reject rule. | + | You can add another |
| - | NB: The stop time will stop kids from creating a **new** connection e.g. to browse one more page on Wikipedia. It will not kick out your kids if they have an existing connection e.g. in an Android game app. To enforce the stop time, you need something extra. Consider the script below, starting with cat. | + | ==== Command-line |
| - | + | ||
| - | NB: If you have e.g. a Guest network, this rule won't restrict your kid if/when they connect to the Guest network. | + | |
| - | + | ||
| - | ==== Command-line | + | |
| Add a new firewall rule. | Add a new firewall rule. | ||
| Edit the following example code block to suit your needs and then copy-paste it into the terminal. | Edit the following example code block to suit your needs and then copy-paste it into the terminal. | ||
| Line 108: | Line 127: | ||
| <code bash> | <code bash> | ||
| + | # Configure firewall | ||
| uci add firewall rule | uci add firewall rule | ||
| - | uci set firewall.@rule[-1].name=" | + | uci set firewall.@rule[-1].name=" |
| uci set firewall.@rule[-1].src=" | uci set firewall.@rule[-1].src=" | ||
| - | uci set firewall.@rule[-1].src_mac=" | + | uci set firewall.@rule[-1].src_mac=" |
| uci set firewall.@rule[-1].dest=" | uci set firewall.@rule[-1].dest=" | ||
| uci set firewall.@rule[-1].start_time=" | uci set firewall.@rule[-1].start_time=" | ||
| uci set firewall.@rule[-1].stop_time=" | uci set firewall.@rule[-1].stop_time=" | ||
| uci set firewall.@rule[-1].weekdays=" | uci set firewall.@rule[-1].weekdays=" | ||
| - | uci set firewall.@rule[-1].utc_time=" | ||
| uci set firewall.@rule[-1].target=" | uci set firewall.@rule[-1].target=" | ||
| uci commit firewall | uci commit firewall | ||
| Line 122: | Line 141: | ||
| </ | </ | ||
| - | ==== Filtering established connections | + | ===== Restrict access |
| - | Once the time is reached, the default rule order prevents closing already established connections. | + | Restrict access |
| - | The rules should be reordered | + | The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home. |
| - | + | Later you no longer want to allow the person to use your Wi-Fi. | |
| - | <code bash> | + | |
| - | # Reorder iptables/ | + | |
| - | cat << " | + | |
| - | for IPT in iptables ip6tables | + | |
| - | do ${IPT}-save -c -t filter \ | + | |
| - | | sed -e "/ | + | |
| - | / | + | |
| - | | sed -n -e "/ | + | |
| - | | ${IPT}-restore -c -T filter | + | |
| - | done | + | |
| - | EOF | + | |
| - | + | ||
| - | # Enable the reordering script | + | |
| - | uci -q delete firewall.estab | + | |
| - | uci set firewall.estab=" | + | |
| - | uci set firewall.estab.path="/ | + | |
| - | uci set firewall.estab.reload=" | + | |
| - | uci commit firewall | + | |
| - | / | + | |
| - | + | ||
| - | # Back up the reordering script | + | |
| - | cat << EOF >> / | + | |
| - | / | + | |
| - | EOF | + | |
| - | </ | + | |
| - | + | ||
| - | ===== Block WIFI LAN Access using a MAC ===== | + | |
| - | This section describes how to block WIFI LAN access for a device with a given MAC. | + | |
| - | + | ||
| - | The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in our home; later I no longer want to allow the person to use our home network. | + | |
| There are several solutions to this problem with decreasing labor and effectiveness. | There are several solutions to this problem with decreasing labor and effectiveness. | ||
| + | - The most comprehensive is to create a [[docs: | ||
| + | - Change the passphrase for the interfaces. | ||
| + | - Only allow/deny LAN access for devices with matching MAC addresses. | ||
| - | 1. The most comprehensive | + | This section focuses on the last option using the wireless interface MAC filter option. |
| + | This is a simple solution | ||
| - | 2. Change the passphrase for the interfaces. | + | ==== Web interface instructions ==== |
| + | - Navigate to **LuCI -> Network -> Wireless**. | ||
| + | - Click **Edit** on a selected interface. | ||
| + | - On the **MAC Address Filter** tab specify: | ||
| + | * MAC Address Filter: | ||
| + | * Allow listed only | ||
| + | * Allow all except listed | ||
| + | * MAC List: | ||
| + | * '' | ||
| + | * '' | ||
| + | - Click **Save**, then **Save & Apply**. | ||
| - | 3. Allow LAN access for only devices with matching MAC addresses. | + | ==== Command-line instructions ==== |
| + | <code bash> | ||
| + | # Use allow-type or deny-type filter | ||
| + | uci set wireless.@wifi-iface[0].macfilter=" | ||
| + | uci set wireless.@wifi-iface[0].macfilter=" | ||
| - | 4. Reject LAN access for devices with matching | + | # Append the MAC address to the list |
| + | uci add_list wireless.@wifi-iface[0].maclist=" | ||
| + | uci add_list wireless.@wifi-iface[0].maclist=" | ||
| - | This section will focus on **option 4**. | + | # Check settings |
| + | uci show wireless.@wifi-iface[0] | ||
| - | In **option 4** we use the wireless interface *mac-filter* property to deny access for a list of MACs. | + | # Save and apply |
| - | + | ||
| - | ==== Web Interface ==== | + | |
| - | + | ||
| - | <WRAP group> | + | |
| - | <WRAP half column> | + | |
| - | - Network -> Wireless -> Interface Edit -> MAC-Filter tab | + | |
| - | - MAC-Address Filter: Allow all except listed | + | |
| - | - MAC List: Add the desired MAC address (6 hex bytes separated by colons) | + | |
| - | - Save&apply | + | |
| - | </ | + | |
| - | + | ||
| - | ==== SSH Interface ==== | + | |
| - | On my systems wireless interfaces are **default_radio0** (5Ghz) and **default_radio1** (2.4Ghz) | + | |
| - | + | ||
| - | <code bash> | + | |
| - | # check the filter type, "Allow all except listed" | + | |
| - | uci show wireless.< | + | |
| - | uci set wireless.< | + | |
| - | + | ||
| - | # append the MAC address to maclist (this is a psuedo device from Apple) | + | |
| - | uci show wireless.< | + | |
| - | uci add_list wireless.< | + | |
| - | + | ||
| - | # save changes | + | |
| uci commit wireless | uci commit wireless | ||
| - | # See /sbin/wifi script: load the new config and the down/up the interface | ||
| wifi reload | wifi reload | ||
| </ | </ | ||
| - | You need to do this for all wifi interfaces accessible by the user. In my case it was both **default_radio0** | + | You need to apply this for all wireless |
| - | and **default_radio1**. | + | Typically the 5 Ghz band is '' |
| - | + | ||