r3dux.org

Tomato firmware is a free, downloadable firmware for the Linksys WRT series and some Buffalo and Asus routers which provides vastly improved functionality over the stock firmware. One of the nice things about Tomato, assuming you have a router which it’ll run on, is that it provides a very configurable method of selectively blocking access to the net in general, specific applications or protocols, or even specific websites. So if you have youngish kids who have (largely) unsupervised access to a computer with a net connection, you can keep them away from social networking sites like facebook, myspace, habbo etc. pretty easily. Here’s how:

1.) Go to you routers web interface (http://192.168.1.1 on my setup) and click on Access Restriction

2.) Click on Add to create a new rule

3.) Untick Block All Internet Access to display the full options list, and set it up something like this:

In the above example I’m only blocking selected machines (so the wife still has access to facebook etc.) – the PC the kids have access to is 192.168.1.105, and my IP is 101 (so I can test the blocks on my machine before removing myself from the block list).

The blocklist uses regex sub-string matching to decide which sites to block as follows:

• Regular words on their own are blocked if they occur anywhere in the site URL, so for example, having the word facebook in there will block sites such as: http://facebook.com, http://www.facebook.com, http://facebook.com.au, anything.facebook.anything-else
• Words with a dollar sign at the end of them will block domains ending with what you’ve specified, that is, putting: .com$ would block ALL sites ending with .com, so putting slashdot.org$ would block slashdot.org, linux.slashdot.org, games.slashdot.org, hardware.slashdot.org etc. etc.
• Words starting with a caret (^) block all domains starting with what you’ve specied, that is, putting: ^chat will block sites like http://chatworld.com, http://chat.parachat.com but not http://www.chatworld.com or http://www.parachat.com
• Words starting with a caret and ending with a dollar sign blocks that exact address, i.e. ^www.r3dux.org$ would block http://www.r3dux.org, but not http://r3dux.org or http://www.r3dux.org?p=1407 (i.e.this page)

You can also block specific protocols (BitTorrent, eDonkey, LimeWire etc.) using the built-in IPP2P module, or via Layer 7 (Application Layer) deep packet inspection, which can detect and block traffic of specific types (World of Warcraft, FTP, Flash etc. etc.) regardless of what port they’re running on. Which is both amazingly awesome and slightly depressing at the same time.

I’m a firm believer in preparing the child for the world, and not the world for the child – but sometimes it can make life easier to restrict the amount of mischief they can get up to, hence the social networking blockage. Now all you need to do is make sure you’ve got a strong password on your router (which isn’t stored on a post-it note under your keyboard) and you can keep the little darlings out of harms way with a few clicks… Until they discover pr0n, where you’re going to probably going to have to take a whitelist rather than a blacklist approach like this.

Once you’ve started, where does it end, eh?

Anyways – Happy Benevolent Dictatorship!