Thursday, June 03, 2010

GTOW (Geek tip of the week)

This week we swerve into some deep geek...  Router setup and then content filtering - geek style!    Don't run away - it's not nearly as tough as you might think.  If you are totally freaked out about this topic - at least give the geek squad a call and hand them a copy of this article to make your wishes clear.

First - why should I care?  Well folks, I fear the days of open WiFi are over.  Not because of hackers getting into your secrets on your home network but thanks to stupid ISP policy and even law.

A friend of mine recently got his "first strike" warning from his ISP for downloading a film that he would never have any interest in seeing.   The film in fact was contrary to both his political and religious beliefs.  He is an IT professional and has a good gauge on the technical abilities and proclivities of his children.  When he says he did not download this film - I believe him.  His wireless net had been in existence for some years and was, however setup with some pretty simple security by today's standards.  Plus if I personally were going to do something of  nefarious nature online - well that neighbor with the open SSID of "Netgear" would be my first stop.

Time for a tuneup.  First of all LifeHacker is running a story that goes over the basics of securing your router so I will defer to their article - For security sake, pay particular attention to the section on setting up WPA encryption. If you want to earn the propeller beanie award and continue below with setting up content filtering you will also need to complete the section on dynamic dns... 

Then come back and continue...

Content filtering.  If you have kids in the house and care about what they see online this is the section for you.  Now maybe you are one of those parents that says "no computers in the bedroom"  - well that used to be enough.  These days however iPods, phones and hand held games like PSP's and Gameboy's have wifi capability too. 

Many routers come with paid options to perform content filtering services.  Some actually work.  If you don't mind paying a monthly fee in exchange for clicking that one button.  Well then, click it and stop here.  But no beanie for you.  For those that are cheap bastards (like me) and want a filter that actually works, and doesn't require any maintenance on your part - welcome to geekdom.  Read on. 

Here is the overview of what we are going to do:  Finding sites on the net requires the ability to query DNS servers for the IP address of the site.  If you control DNS - you pretty much control where your little hackers can go*. So. we are going to take control and then use DNS servers that direct queries to sites we don't like, to a page that wags the virtual finger.

Be aware - There are ways around this* but if your kids are smart and determined enough to pull them off - well stop worrying about porn sites and start saving for a Co-Sci degree.  (or lawyer fees)

The first step is to take control of DNS.   Your router should have a setting - probably in the LAN configuration where it asks if it should be the DNS server for your network.  It might also ask if it should be a DNS caching server - answer yes.   You can also tell if this is allready setup by looking at your workstation's settings.  On Windows - type ipconfig /all at a command line.  If your DNS server(s) are the same IP address as your default gateway - your router is already serving DNS for your network.  This is the default setting for most routers.

This is very important, before you go on with any of the steps in this article:  Go to the WAN setup on your router.  Set the DNS servers to and  Let your router re-start.

Next, we need to make sure that your little dears can't just manually set the DNS servers on their iPods and go right around this measure.  This is probably the most technical part of this article.  Go get yourself a bourbon and settle in.  

You will need to setup two rules on your router.  You might want to go download the user/administrators manual for your router and have it handy.  Before doing this you need to know two things.  First - DNS runs on port 53.  Second - firewall rules generally work in a way that is referred to as an ACL (or Access Control List) fashion.  Basically you list the rules in the order you want them evaluated.  I.E.  If you want traffic to go through to a particular site you put that rule before the rule that says "Deny all" working from the top.  When it gets traffic the firewall will work down the list in an IF - THEN - ELSE logic.   IF the traffic meets this criteria THEN do this action, ELSE move on to the next rule. 

Find the rules section in your router and create one that allows traffic from any system on your network, on port 53 to access the servers and  (these are the DNS servers we want to use) On most routers you will probably have to define both of these IP addresses and then put them in a net group that you can reference in your rule.  There may be a section called "definitions" or "rule elements" where you do this. 

Next - right below the rule you just created - make another rule that denies all traffic on port 53 to all sites.  You have just made sure that the only DNS servers that can be used from your network are those that belong to OpenDNS.

Now we need to tell OpenDNS what you do and do not want to be able to access from your net. Unless you are paying for a fixed IP address from your ISP (you would know if you were) you need some way to give OpenDNS a way to identify traffic from YOUR network.  Now is where that dynamic DNS setup from the Lifehacker article comes in handy.  Go to and create an account (it's free).   When OpenDNS asks how to identify your network, use the dynamic DNS host that you setup (eg:  Then set the level of filtering that you think is appropriate for your kiddos.  Save.  Give OpenDNS a little time to complete the changes and you are done.   Test it by attempting to access a site you know should be blocked.  If you blocked Adult/Porn - try 

Now that you have done all this work on your router/firewall - don't forget to BACK UP the settings.  Now go reward yourself in geek style and be proud to wear the propeller beanie!  

*Notes:  Yes, you can get around this type of filtering by knowing the direct IP of a site or by doing something like an SSH tunnel to a proxy but be serious.  You can watch logs and block a hand full of specific IP's if needed and if your kid has the chops to setup an SSH tunnel he's smart enough to know trouble when he sees it.

Recommended reading:  WPA encryptionBad Laws

Recommended sites/services  OpenDNSDynDNS

Posted via email from ninjahippie's (pre) posterous

No comments: