Content Filtering Specifics with Linksys WRT54G Routers

[Lars Rasmussen]

It's more and more common for me to use the following steps for
filtering at members' homes, usually by parental and/or bishop's
request:

1. Assign a password to the router

2. Change all 3 DNS servers to reference OpenDNS' DNS servers instead
of the ISP's DNS servers

3. Create an account on OpenDNS

4. Install the OpenDNS Client updater on a PC to retain filtering
preferences when the public IP changes(for dynamic IP addresses)

5. Set filtering preferences on OpenDNS

6. On Windows PCs, Install the free Bluecoat K9 Web Protection client
software and set filtering preferences

Now comes the loosely related open source question. One of the
weaknesses of the above approach is the dependence on number 4.
OpenDNS needs to know the IP address being used in order to enforce
specific filtering preferences. If the client IP address changes and
OpenDNS isn't notified the filtering preferences are lost.

My thought is there might be a way to use custom firmware such as DD-
WRT or Tomato and somehow include the Dynamic DNS update for a content
filtering service such as OpenDNS.

I'd like to address this weakness in my approach and receive
suggestions on how to implement it without paying for software. Any
ideas? What do you use?

Lars Rasmussen
Springville, Utah

[Paul Eden]

Some routers have dynamic dns service updating built into their company-supplied firmware (newer netgear routers come to mind).  Your (very good) solution would work without any flashing of firmware with such a router.

With that said, flashing a WRT54G is a very viable method as well.

I hadn't heard of k9 before (thanks for mentioning it!).  It looks great.

If the home client nodes do not run windows as the OS, and hence cannot use k9, I have found that using dansguardian and squid on a small linux server configured as a transparent proxy and the default gateway for the network to be a nice compliment/extra layer of safety to OpenDNS' filtering.  It does some some configuring though.

Paul Eden

--
You received this message because you are subscribed to the Google
Groups "LDSOSS" group.
To post to this group, send email to lds...@googlegroups.com
To unsubscribe from this group, send email to
ldsoss-un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/ldsoss?hl=en

Visit our wiki at http://ldsoss.org!

--
Best Regards,

Paul Eden

"...and a little looking out for the other guy too."
- Mr. Smith

[John Harrison]

K9 runs on Macs as well as Windows, and it is free:

http://www1.k9webprotection.com/getk9/download-software.php

[Russell Hltn]

On Wed, Jan 13, 2010 at 7:34 AM, Paul Eden <benc...@gmail.com> wrote:
> Some routers have dynamic dns service updating built into their
> company-supplied firmware (newer netgear routers come to mind).  Your (very
> good) solution would work without any flashing of firmware with such a
> router.

Yes, but how do you use that with OpenDNS?

[Pete Whiting]

On Wed, Jan 13, 2010 at 8:56 AM, Lars Rasmussen
<lars.ra...@gmail.com> wrote:
>

> It's more and more common for me to use the following steps for
> filtering at members' homes, usually by parental and/or bishop's
> request:

[snip]

> 4. Install the OpenDNS Client updater on a PC to retain filtering
> preferences when the public IP changes(for dynamic IP addresses)

[snip]

>
> Now comes the loosely related open source question.  One of the
> weaknesses of the above approach is the dependence on number 4.
> OpenDNS needs to know the IP address being used in order to enforce
> specific filtering preferences.  If the client IP address changes and
> OpenDNS isn't notified the filtering preferences are lost.
>
> My thought is there might be a way to use custom firmware such as DD-
> WRT or Tomato and somehow include the Dynamic DNS update for a content
> filtering service such as OpenDNS.

Currently I'm using openwrt kamikaze (xwrt branch - http://x-wrt.org/
) at home and have written a small app to do the opendns update from
that platform and run it in my crontab. It would be absolutely trivial
if opendns didn't require the update session to be ssl. Haven't looked
at it since I wrote it - my guess it openwrt supports this out of the
box but where is the fun in that? If you want, I can send you the
source or the binary.

I installed a second wrt running Gargoyle (openwrt derivative):
http://en.wikipedia.org/wiki/Gargoyle_Router_Firmware. I noticed it
has opendns support out of the box. Again, I expect stock openwrt does
the same.

On the router I add a forwarding rule that blocks all port 53 traffic
- since the forwarding rule doesn't apply to packets destined to the
router or originated from the router, the router can do dns lookups
against opendns but the computers behind the router have accept the
dhcp offered dns servers (the router). This eliminates the possibility
that someone manually configures different dns servers on a computer
in the house.

Having linux on this device is great. My firewall rules change on
sunday and late at night to a more restrictive profile, I do string
matching in forwarded packets for stuff I don't want in the house, and
I keep a record of all image urls that pass through the device. For a
while I had it change all youtube thumbnails to pictures of barney.
Now I just block youtube. Cool toy for $50.

[Paul Eden]

Just setup the router as a dhcp server and specify the OpenDNS nameservers as the nameservers to distribute via dhcp.

--
You received this message because you are subscribed to the Google
Groups "LDSOSS" group.
To post to this group, send email to lds...@googlegroups.com
To unsubscribe from this group, send email to
ldsoss-un...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/ldsoss?hl=en

Visit our wiki at http://ldsoss.org!

[Pete Whiting]

On Wed, Jan 13, 2010 at 1:36 PM, Paul Eden <benc...@gmail.com> wrote:
> Just setup the router as a dhcp server and specify the OpenDNS nameservers
> as the nameservers to distribute via dhcp.

he is trying to get the part of opendns working which allows opendns
to associate a policy with the source ip address of the dns request.
To do that something needs to be contacting opendns saying "hey, the
ip address of my cable modem is y.y.y.y."

[Sean Gates]

Exactly.  This has nothing to do with using OpenDNS as your nameservers generally, but has to do with any requests from IP address x.x.x.x accessing certain sites or content.

I have it set up this way at my home, but I have a static IP address through Comcast Business account.  I wish it were that way for everyone.  It would be a much simpler process.

-- Sean

[Paul Eden]

My fault, you are right.

Here is a possible way that the netgear router could update the dynamic-public IP opendns has on record for a particular account.

http://forums.opendns.com/comments.php?DiscussionID=3915

Also, certain netgear routers have what they call, "Live Parental Controls powered by OpenDNS" which is essential (to my knowledge) what we are talking about in this thread.  Info on that below.

http://netgear.opendns.com/support/faq/#faq1

Paul

[Lars Rasmussen]

Found and implemented an answer - Tomato firmware allows for multiple
DDNS providers, eliminating the need for step #4.

Thank You!
--
Lars

additional details:

OpenDNS + K9 + DynDNS +Tomato firmware on the router intercepting all
DNS UDP port 53 requests.

Tomato also allows me to 'Block All Internet Access' or to disable
wireless during certain hours. Even with all this tech you still need
to physically secure the router and other equipment that grants open
ethernet access(like cable/DSL "modems") if you want to lock things
down.

I also install Firefox with the Adblock Plus extension as many ads are
offensive/distracting/take up space on the page and bandwidth.

With Tomato I don't need a DDNS client/service installed on one of the
computers when the Dyanmic IP address changes.

http://www.hugolarge.com/2009/01/using-multiple-ddns-providers-with-tomato-firmware/