Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2021/01/18 11:39] – [Time restriction of internet access] vgaeteradocs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera
Line 4: Line 4:
 ===== Introduction ===== ===== Introduction =====
   * This article describes common methods to perform parental control of internet access.   * This article describes common methods to perform parental control of internet access.
-  * Make sure to apply restrictions to all source zones if you are using a firewall-based method.+  * Be sure to apply restrictions to all source zones if you are using a firewall-based method.
  
 ===== Restrict / deny / block access to certain web pages ===== ===== Restrict / deny / block access to certain web pages =====
-==== Blocking Servers by blacklisting their IP ====+==== Blocking servers by blacklisting their IP ====
 Follow: Follow:
 [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples#block_lan-side_access_to_a_specific_site|Firewall rule to block a site]] [[docs:guide-user:firewall:fw3_configurations:fw3_config_examples#block_lan-side_access_to_a_specific_site|Firewall rule to block a site]]
  
 If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site.
-It is the quickest and most efficient way of blocking websites and is well supported even in the Webinterface+It is the quickest and most efficient way of blocking websites and is well supported even in the web interface
-Assuming OpenWRT operates with a LAN and WAN zone a filter in the FORWARDING chain that rejects packets is enough.+Assuming OpenWrt operates with a LAN and WAN zone a filter in the FORWARD chain that rejects packets is enough.
 ASN lists could be used to block large numbers of IPs belonging to certain companies. ASN lists could be used to block large numbers of IPs belonging to certain companies.
 A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly.
  
 Drawbacks: Drawbacks:
-  * To circumvent these IP based restrictions an internet proxy or TOR could be used.+  * To circumvent these IP based restrictions an internet proxy or Tor could be used.
   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist
  
-==== Blocking Name resolution (DNS) by Adblockers ====+==== Blocking name resolution (DNS) by Adblockers ====
 Follow: Follow:
 [[docs:guide-user:services:ad-blocking|Ad blocking]], [[docs:guide-user:services:ad-blocking|Ad blocking]],
Line 27: Line 27:
  
 This method voids DNS lookups so, for example, ''www.youtube.com'' does not generate the desired IP address. This method voids DNS lookups so, for example, ''www.youtube.com'' does not generate the desired IP address.
-Adblock can be used to blacklist certain domainnames and prevent the DNS server handing out the right IP. +Adblock can be used to blacklist certain domain names and prevent the DNS server handing out the right IP. 
-Alternatively DNSMASQ can be configured to return a NXDOMAIN answer in case a blacklisted domainname is queried. +Alternatively Dnsmasq can be configured to return a NXDOMAIN answer in case a blacklisted domain name is queried. 
-Another option is to use PiHole in the LAN and divert DNS requests to PiHole.+Another option is to use Pi-hole in the LAN and divert DNS requests to Pi-hole.
  
 Drawbacks: Drawbacks:
Line 38: Line 38:
 ==== Blocking IPs based on their domain names (FQDN, host names) ==== ==== Blocking IPs based on their domain names (FQDN, host names) ====
 Follow: Follow:
-[[docs:guide-user:firewall:fw3_configurations:dns_ipset|DNS-based firewall with IP sets]]+[[docs:guide-user:firewall:fw3_configurations:dns_ipset|Filtering traffic with IP sets by DNS]]
  
 Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall.
Line 48: Line 48:
   * Completely blocking sites that use localized domains is problematic.   * Completely blocking sites that use localized domains is problematic.
  
-==== Blocking sites by using Proxy Servers =====+==== Blocking services with banIP ==== 
 +See also: 
 +[[packages:pkgdata:banip]], 
 +[[packages:pkgdata:luci-app-banip]] 
 + 
 +banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https://github.com/HybridNetworks/whatsapp-cidr|HybridNetworks/whatsapp-cidr]]. 
 + 
 +<code bash> 
 +opkg update 
 +opkg install banip luci-app-banip 
 +uci set banip.global.ban_enabled="1" 
 +uci del_list banip.global.ban_feed="whatsapp" 
 +uci add_list banip.global.ban_feed="whatsapp" 
 +uci commit banip 
 +. /usr/share/libubox/jshn.sh 
 +json_init 
 +json_load_file /etc/banip/banip.custom.feeds 2> /dev/null 
 +json_add_object "whatsapp" 
 +json_add_string "descr" "WhatsApp CIDR" 
 +json_add_string "url_4" "https://raw.githubusercontent.com/
 +HybridNetworks/whatsapp-cidr/main/WhatsApp/whatsapp_cidr_ipv4.txt" 
 +json_add_string "rule_4" "/^[^#]/{print \$1\",\"}" 
 +json_close_object 
 +json_dump > /etc/banip/banip.custom.feeds 
 +/etc/init.d/banip restart 
 +</code> 
 + 
 +==== Blocking sites by using proxy servers =====
 Follow: Follow:
-[[docs:guide-user:services:proxy:overview|Proxy Server Overview]]+[[docs:guide-user:services:proxy:overview|Proxy server overview]]
  
-A proxy server like SQUID can be used to block access to websites.+A proxy server like [[docs:guide-user:services:proxy:proxy.squid|Squid]] or [[docs:guide-user:services:proxy:tinyproxy|Tinyproxy]] can be used to block access to websites.
 It can check HTTP(S) specific details. It can check HTTP(S) specific details.
 The huge benefit of this option is to have the finest level of control. The huge benefit of this option is to have the finest level of control.
 It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.
 +
 +Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, consider Tinyproxy first.
  
 Drawbacks: Drawbacks:
-  * Comparatively resource hungry and somewhat difficult to run on typical OpenWrt hardware. If this setup appeals to you consider a beefier Hardware and Software like IPFire, PFSense, Untangle, OPNSense, ... +  * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. 
-  * Complex setup +  * The clients need to configure the proxy in their browser.
-  * If not everything else except the proxy is blocked, it can be circumvented.+
  
 ===== Time restriction of internet access ===== ===== Time restriction of internet access =====
-Helps to block internet access for a certain MAC or IP address on weekdays during specific time interval.+Block internet access for MAC or IP addresses (or everyone) on week days during specific time interval.
  
-:!: Make sure to [[docs:guide-user:firewall:fw3_configurations:dns_ipset#established_connections|reorder firewall rules]] to properly apply time restrictions, otherwise the default rule order prevents closing already established connections.+<WRAP important> 
 +  * Verify that your router has the correct time and timezone. 
 +  * Apply the following workarounds to ensure reliable operation: 
 +    * [[docs:guide-user:firewall:fw3_configurations:dns_ipset#established_connections|Reorder firewall rules]] to enforce time restrictions for already established connections. 
 +    * [[docs:guide-user:base-system:system_configuration#daylight_saving_time|Reload kernel timezone]] to handle DST-related changes. 
 +</WRAP>
  
-==== Web interface ==== +==== Web interface instructions ==== 
-First, make sure that your router has the right time **and** the right timezone.+Adjust the parameters according to your configuration.
  
-<WRAP group> +  - Navigate to **LuCI -> Network -> Firewall -> Traffic Rules**. 
-<WRAP half column> +  - Click **Add** and specify: 
-  - //Network -> Firewall -> Traffic Rules -> New forward rule// +    * Name: ''Filter-Parental-Controls'' 
-  - Add name for your rule, e.g. "Kids weeksdays", "Kids weekend" +    * Protocol: Any 
-  - Source zone: lan +    * Source zone: ''lan'' 
-  Destination zone: wan +    Destination zone: ''wan'' 
-  - Click //Add and edit// +    * Action: reject 
-  - Select //Source MAC address// or //Source address// +  - (Optional) If you want to add a MAC or IP limitation, on the **Advanced Settings** tab specify: 
-  - Set //Action// to be //Reject// +    * Source MAC address: ''00:11:22:33:44:55'' 
-  - Select weekdays +    * Source IP address: ''192.168.1.2'' 
-  - Select start/stop time +  - On the **Time Restrictions** tab specify: 
-  - Save & Apply +    * Week Days: Monday, Tuesday, Wednesday, Thursday, Friday 
-</WRAP>+    * Start Time: ''21:30:00'' 
 +    * Stop Time: ''07:00:00'' 
 +  - Click **Save**, then **Save & Apply**.
  
-<WRAP half column> +You can add another rule to apply time restrictions on weekend.
-{{media:docs:howto:firewall_-_parental_control_settings_via_luci.png?0x400|Time restriction of internet access via LuCI}} +
-</WRAP> +
-</WRAP>+
  
-==== Command-line interface ====+==== Command-line instructions ====
 Add a new firewall rule. Add a new firewall rule.
 Edit the following example code block to suit your needs and then copy-paste it into the terminal. Edit the following example code block to suit your needs and then copy-paste it into the terminal.
Line 97: Line 129:
 # Configure firewall # Configure firewall
 uci add firewall rule uci add firewall rule
-uci set firewall.@rule[-1].name="Kids weekdays"+uci set firewall.@rule[-1].name="Filter-Parental-Controls"
 uci set firewall.@rule[-1].src="lan" uci set firewall.@rule[-1].src="lan"
 uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55" uci set firewall.@rule[-1].src_mac="00:11:22:33:44:55"
Line 107: Line 139:
 uci commit firewall uci commit firewall
 /etc/init.d/firewall restart /etc/init.d/firewall restart
- 
-# Extra workaround for OpenWrt snapshots 
-. /etc/openwrt_release 
-if [ "${DISTRIB_RELEASE}" = "SNAPSHOT" ] 
-then 
-FW_WEEKDAYS="$(uci get firewall.@rule[-1].weekdays)" 
-uci -q delete firewall.@rule[-1].weekdays 
-uci set firewall.@rule[-1].extra="--weekdays ${FW_WEEKDAYS// /,}" 
-uci commit firewall 
-/etc/init.d/firewall restart 
-fi 
 </code> </code>
  
 ===== Restrict access to Wi-Fi by MAC address ===== ===== Restrict access to Wi-Fi by MAC address =====
-Helps to restrict access to your Wi-Fi by MAC address. +Restrict access to your Wi-Fi by MAC address.
 The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home. The primary motivation for this capability is a family member gives out the SSID and passphrase to a friend while in your home.
 Later you no longer want to allow the person to use your Wi-Fi. Later you no longer want to allow the person to use your Wi-Fi.
Line 129: Line 149:
   - The most comprehensive is to create a [[docs:guide-user:network:wifi:guestwifi:start|guest Wi-Fi]].   - The most comprehensive is to create a [[docs:guide-user:network:wifi:guestwifi:start|guest Wi-Fi]].
   - Change the passphrase for the interfaces.   - Change the passphrase for the interfaces.
-  - Allow LAN access for only devices with matching MAC addresses. +  - Only allow/deny LAN access for devices with matching MAC addresses.
-  - Reject LAN access for devices with matching MAC addresses.+
  
-This section will focus on the last option using wireless interface //mac-filter// property to deny access for a list of MACs.+This section focuses on the last option using the wireless interface MAC filter option.
 This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device. This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device.
  
-==== Web interface ==== +==== Web interface instructions ==== 
-  - Network -> Wireless -> Interface Edit -MAC-Filter tab +  - Navigate to **LuCI -> Network -> Wireless**. 
-  MAC-Address Filter: Allow all except listed +  Click **Edit** on a selected interface. 
-  MAC List: Add the desired MAC address (6 hex bytes separated by colons) +  On the **MAC Address Filter** tab specify: 
-  - Save & Apply+    MAC Address Filter: 
 +      * Allow listed only 
 +      * Allow all except listed 
 +    MAC List: 
 +      * ''11:22:33:44:55:66'' 
 +      * ''aa:bb:cc:dd:ee:ff'' 
 +  - Click **Save**, then **Save & Apply**.
  
-==== Command-line interface ====+==== Command-line instructions ====
 <code bash> <code bash>
-# Use deny-type filter+# Use allow-type or deny-type filter 
 +uci set wireless.@wifi-iface[0].macfilter="allow"
 uci set wireless.@wifi-iface[0].macfilter="deny" uci set wireless.@wifi-iface[0].macfilter="deny"
  
 # Append the MAC address to the list # Append the MAC address to the list
-uci add_list wireless.@wifi-iface[0].maclist="00:11:22:33:44:55"+uci add_list wireless.@wifi-iface[0].maclist="11:22:33:44:55:66" 
 +uci add_list wireless.@wifi-iface[0].maclist="aa:bb:cc:dd:ee:ff"
  
 # Check settings # Check settings
Line 157: Line 184:
 </code>  </code> 
  
-You need to do this for all wireless interfaces accessible by the user, such as typically: +You need to apply this for all wireless interfaces accessible by the user. 
-  5 Ghz ''@wifi-iface[0]'' or ''default_radio0'' +Typically the 5 Ghz band is ''@wifi-iface[0]'' and the 2.4 Ghz band is ''@wifi-iface[1]''.
-  * 2.4 Ghz ''@wifi-iface[1]'' or ''default_radio1''+
  
  • Last modified: 2023/10/14 05:53
  • by vgaetera