Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2021/03/24 10:46] – formatting vgaetera | docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera | ||
|---|---|---|---|
| Line 4: | Line 4: | ||
| ===== Introduction ===== | ===== Introduction ===== | ||
| * This article describes common methods to perform parental control of internet access. | * This article describes common methods to perform parental control of internet access. | ||
| - | * Make sure to apply restrictions to all source zones if you are using a firewall-based method. | + | * Be sure to apply restrictions to all source zones if you are using a firewall-based method. |
| ===== Restrict / deny / block access to certain web pages ===== | ===== Restrict / deny / block access to certain web pages ===== | ||
| Line 13: | Line 13: | ||
| If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. | If a server is running at a single IP or just uses a small set of IPs, blocking these IPs in fw3 is a very efficient way to block this site. | ||
| It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. | It is the quickest and most efficient way of blocking websites and is well supported even in the web interface. | ||
| - | Assuming OpenWrt operates with a LAN and WAN zone a filter in the FORWARDING | + | Assuming OpenWrt operates with a LAN and WAN zone a filter in the FORWARD |
| ASN lists could be used to block large numbers of IPs belonging to certain companies. | ASN lists could be used to block large numbers of IPs belonging to certain companies. | ||
| A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | A script would be used to fetch all current IPs assigned to a certain company and this information is used to update the firewall accordingly. | ||
| Line 21: | Line 21: | ||
| * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | * Dynamic hosts change their IP on a regular basis, invalidating the blacklist | ||
| - | ==== Blocking | + | ==== Blocking |
| Follow: | Follow: | ||
| [[docs: | [[docs: | ||
| Line 38: | Line 38: | ||
| ==== Blocking IPs based on their domain names (FQDN, host names) ==== | ==== Blocking IPs based on their domain names (FQDN, host names) ==== | ||
| Follow: | Follow: | ||
| - | [[docs: | + | [[docs: |
| Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. | Since OpenWrt in a typical setup with a LAN and WAN zone does the name resolution and the firewall at the same time, all information is there to match domain names, their current IPs as they are handed out to the LAN-hosts and act accordingly in the firewall. | ||
| Line 47: | Line 47: | ||
| * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp> | * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp> | ||
| * Completely blocking sites that use localized domains is problematic. | * Completely blocking sites that use localized domains is problematic. | ||
| + | |||
| + | ==== Blocking services with banIP ==== | ||
| + | See also: | ||
| + | [[packages: | ||
| + | [[packages: | ||
| + | |||
| + | banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https:// | ||
| + | |||
| + | <code bash> | ||
| + | opkg update | ||
| + | opkg install banip luci-app-banip | ||
| + | uci set banip.global.ban_enabled=" | ||
| + | uci del_list banip.global.ban_feed=" | ||
| + | uci add_list banip.global.ban_feed=" | ||
| + | uci commit banip | ||
| + | . / | ||
| + | json_init | ||
| + | json_load_file / | ||
| + | json_add_object " | ||
| + | json_add_string " | ||
| + | json_add_string " | ||
| + | HybridNetworks/ | ||
| + | json_add_string " | ||
| + | json_close_object | ||
| + | json_dump > / | ||
| + | / | ||
| + | </ | ||
| ==== Blocking sites by using proxy servers ===== | ==== Blocking sites by using proxy servers ===== | ||
| Line 52: | Line 79: | ||
| [[docs: | [[docs: | ||
| - | A proxy server like Squid can be used to block access to websites. | + | A proxy server like [[docs: |
| It can check HTTP(S) specific details. | It can check HTTP(S) specific details. | ||
| The huge benefit of this option is to have the finest level of control. | The huge benefit of this option is to have the finest level of control. | ||
| It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. | It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. | ||
| + | |||
| + | Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, | ||
| Drawbacks: | Drawbacks: | ||
| - | | + | * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. |
| - | * Complex setup | + | * The clients need to configure the proxy in their browser. |
| - | | + | |
| ===== Time restriction of internet access ===== | ===== Time restriction of internet access ===== | ||
| - | Block internet access for MAC or IP addresses on week days during specific time interval. | + | Block internet access for MAC or IP addresses |
| <WRAP important> | <WRAP important> | ||
| Line 72: | Line 100: | ||
| </ | </ | ||
| - | ==== Web interface ==== | + | ==== Web interface |
| Adjust the parameters according to your configuration. | Adjust the parameters according to your configuration. | ||
| Line 82: | Line 110: | ||
| * Destination zone: '' | * Destination zone: '' | ||
| * Action: reject | * Action: reject | ||
| - | - On the **Advanced Settings** tab specify: | + | - (Optional) If you want to add a MAC or IP limitation, on the **Advanced Settings** tab specify: |
| * Source MAC address: '' | * Source MAC address: '' | ||
| + | * Source IP address: '' | ||
| - On the **Time Restrictions** tab specify: | - On the **Time Restrictions** tab specify: | ||
| * Week Days: Monday, Tuesday, Wednesday, Thursday, Friday | * Week Days: Monday, Tuesday, Wednesday, Thursday, Friday | ||
| Line 92: | Line 121: | ||
| You can add another rule to apply time restrictions on weekend. | You can add another rule to apply time restrictions on weekend. | ||
| - | ==== Command-line | + | ==== Command-line |
| Add a new firewall rule. | Add a new firewall rule. | ||
| Edit the following example code block to suit your needs and then copy-paste it into the terminal. | Edit the following example code block to suit your needs and then copy-paste it into the terminal. | ||
| Line 110: | Line 139: | ||
| uci commit firewall | uci commit firewall | ||
| / | / | ||
| - | |||
| - | # Extra workaround for OpenWrt snapshots | ||
| - | . / | ||
| - | if [ " | ||
| - | then | ||
| - | FW_WEEKDAYS=" | ||
| - | uci -q delete firewall.@rule[-1].weekdays | ||
| - | uci set firewall.@rule[-1].extra=" | ||
| - | uci commit firewall | ||
| - | / | ||
| - | fi | ||
| </ | </ | ||
| Line 131: | Line 149: | ||
| - The most comprehensive is to create a [[docs: | - The most comprehensive is to create a [[docs: | ||
| - Change the passphrase for the interfaces. | - Change the passphrase for the interfaces. | ||
| - | - Allow LAN access for only devices with matching MAC addresses. | + | - Only allow/ |
| - | - Reject | + | |
| - | This section | + | This section |
| This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device. | This is a simple solution that can be invalidated by a smart hacker changing the MAC address of their device. | ||
| - | ==== Web interface ==== | + | ==== Web interface |
| - Navigate to **LuCI -> Network -> Wireless**. | - Navigate to **LuCI -> Network -> Wireless**. | ||
| - Click **Edit** on a selected interface. | - Click **Edit** on a selected interface. | ||
| - | - On the **MAC-Filter** tab specify: | + | - On the **MAC Address |
| - | * MAC-Address Filter: Allow all except listed | + | * MAC Address Filter: |
| - | * MAC List: Add the desired MAC address (6 hex bytes separated by colons) | + | * Allow listed only |
| + | * Allow all except listed | ||
| + | * MAC List: | ||
| + | * '' | ||
| + | * '' | ||
| - Click **Save**, then **Save & Apply**. | - Click **Save**, then **Save & Apply**. | ||
| - | ==== Command-line | + | ==== Command-line |
| <code bash> | <code bash> | ||
| - | # Use deny-type filter | + | # Use allow-type or deny-type filter |
| + | uci set wireless.@wifi-iface[0].macfilter=" | ||
| uci set wireless.@wifi-iface[0].macfilter=" | uci set wireless.@wifi-iface[0].macfilter=" | ||
| # Append the MAC address to the list | # Append the MAC address to the list | ||
| - | uci add_list wireless.@wifi-iface[0].maclist=" | + | uci add_list wireless.@wifi-iface[0].maclist=" |
| + | uci add_list wireless.@wifi-iface[0].maclist=" | ||
| # Check settings | # Check settings | ||
| Line 161: | Line 184: | ||
| </ | </ | ||
| - | You need to do this for all wireless interfaces accessible by the user, such as typically: | + | You need to apply this for all wireless interfaces accessible by the user. |
| - | | + | Typically the 5 Ghz band is '' |
| - | * 2.4 Ghz - '' | + | |