Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2021/12/01 11:14] – clarified optional status and added IP bobafetthotmaildocs:guide-user:firewall:fw3_configurations:fw3_parent_controls [2023/08/30 08:26] – [Blocking services with banIP] vgaetera
Line 4: Line 4:
 ===== Introduction ===== ===== Introduction =====
   * This article describes common methods to perform parental control of internet access.   * This article describes common methods to perform parental control of internet access.
-  * Make sure to apply restrictions to all source zones if you are using a firewall-based method.+  * Be sure to apply restrictions to all source zones if you are using a firewall-based method.
  
 ===== Restrict / deny / block access to certain web pages ===== ===== Restrict / deny / block access to certain web pages =====
Line 21: Line 21:
   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist   * Dynamic hosts change their IP on a regular basis, invalidating the blacklist
  
-==== Blocking Name resolution (DNS) by Adblockers ====+==== Blocking name resolution (DNS) by Adblockers ====
 Follow: Follow:
 [[docs:guide-user:services:ad-blocking|Ad blocking]], [[docs:guide-user:services:ad-blocking|Ad blocking]],
Line 47: Line 47:
   * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp>Content_delivery_network|CDNs]].   * This will block all sites sharing the same IP with the targeted, so use carefully for domains which rely on [[wp>Content_delivery_network|CDNs]].
   * Completely blocking sites that use localized domains is problematic.   * Completely blocking sites that use localized domains is problematic.
 +
 +==== Blocking services with banIP ====
 +See also:
 +[[packages:pkgdata:banip]],
 +[[packages:pkgdata:luci-app-banip]]
 +
 +banIP can block services using IP/CIDR lists, e.g. you can block WhatsApp with [[https://github.com/HybridNetworks/whatsapp-cidr|HybridNetworks/whatsapp-cidr]].
 +
 +<code bash>
 +opkg update
 +opkg install banip luci-app-banip
 +uci set banip.global.ban_enabled="1"
 +uci del_list banip.global.ban_feed="whatsapp"
 +uci add_list banip.global.ban_feed="whatsapp"
 +uci commit banip
 +. /usr/share/libubox/jshn.sh
 +json_init
 +json_load_file /etc/banip/banip.custom.feeds 2> /dev/null
 +json_add_object "whatsapp"
 +json_add_string "descr" "WhatsApp CIDR"
 +json_add_string "url_4" "https://raw.githubusercontent.com/\
 +HybridNetworks/whatsapp-cidr/main/WhatsApp/whatsapp_cidr_ipv4.txt"
 +json_add_string "rule_4" "/^[^#]/{print \$1\",\"}"
 +json_close_object
 +json_dump > /etc/banip/banip.custom.feeds
 +/etc/init.d/banip restart
 +</code>
  
 ==== Blocking sites by using proxy servers ===== ==== Blocking sites by using proxy servers =====
Line 52: Line 79:
 [[docs:guide-user:services:proxy:overview|Proxy server overview]] [[docs:guide-user:services:proxy:overview|Proxy server overview]]
  
-A proxy server like Squid can be used to block access to websites.+A proxy server like [[docs:guide-user:services:proxy:proxy.squid|Squid]] or [[docs:guide-user:services:proxy:tinyproxy|Tinyproxy]] can be used to block access to websites.
 It can check HTTP(S) specific details. It can check HTTP(S) specific details.
 The huge benefit of this option is to have the finest level of control. The huge benefit of this option is to have the finest level of control.
 It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once. It can even distinguish in cases where a single server with a single IP runs for example a blacklisted and whitelisted domain at once.
 +
 +Squid offers many features like SNI HTTPS based filtering, SSL-bump and splice. However, for typical resource constrained devices, Tinyproxy offers the most important options (filtering websites) as well. For parental control, due to ease of setup and low RAM/Flash requirements, consider Tinyproxy first.
  
 Drawbacks: Drawbacks:
-  * Comparatively resource hungry and somewhat difficult to run on typical OpenWrt hardware. If this setup appeals to you consider a beefier hardware and software like IPFire, pfSense, Untangle, OPNsense, etc. +  * If not everything else except the proxy is blocked, it can be circumvented. The firewall must block the client-device from accessing the internet directly. 
-  * Complex setup +  * The clients need to configure the proxy in their browser.
-  * If not everything else except the proxy is blocked, it can be circumvented.+
  
 ===== Time restriction of internet access ===== ===== Time restriction of internet access =====
  • Last modified: 2023/10/14 05:53
  • by vgaetera