access restrictions rules

Discuss the technical details of Gargoyle and ongoing development

Moderator: Moderators

Post Reply
FRiC
Posts: 62
Joined: Sat Sep 27, 2008 8:03 am
Contact:

access restrictions rules

Post by FRiC »

I'm wondering if the access restrictions rules can be executed as ordered, or if the rules are exclusive of each other?

i.e., I want to have restrictions working by the order they appear
1- permanently block some sites (facebook, etc.)
2- allow unlimited access to some sites (school/company website)
3- always block all downloads (.exe, .zip, .mp3, etc.)
4- otherwise allow web access by time of day...

I tried to set things up like above, but it seems that entering some rules will automatically delete other rules. (But I don't know if this is a bug or if it's by design, since the GUI still appears buggy.) Plus I can't re-order the rules. Can this be done?

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: access restrictions rules

Post by Eric »

The blocking effect of the rules is cumulative. No rule results in an ACCEPT, only a REJECT. This way it doesn't matter in what order the rules are tested.

The best way to set up what you want is to set up a rule that permanently blocks certain sites (e.g. url contains facebook) and blocks any url with certain file extensions (match regex, .*exe$ to block downloading of .exe files via http, similar to other extensions). Then set up another rule which has scheduled access which blocks all sites except the sites you want unlimited access to.

You say rules are disappearing? Please be as specific as possible about 1) your configuration and 2) what symptoms you are seeing. Are they disappearing from the GUI, or do they not apply (i.e. something that should be blocked isn't) or both? When you say the GUI seems buggy, please be as specific as possible. For example, are you clicking on a button and nothing happening, or something disappearing or changing that shouldn't? Or are you just referring to the interface not resulting in the rules as expected?

FRiC
Posts: 62
Joined: Sat Sep 27, 2008 8:03 am
Contact:

Re: access restrictions rules

Post by FRiC »

I'm wondering if a true whitelist feature (ACCEPT) can be implemented, for the ability to download otherwise blocked files from allowed sites (e.g. to download *.exe files from the company website, or antivirus update sites), or to always allow access to some sites (e.g. company website) that would otherwise be blocked by scheduled restrictions.

The whitelist would either be a standalone list interpreted before the blacklist, or if the rules can be ordered, be placed as rule #2 "allow unlimited access to some sites" in my original post.

As for the issues I encountered within the access restrictions page:
1- when I add a new rule, the rule descriptions show up as 'rule_1', 'rule_2', etc. until changes are saved.
2- when creating more than one rule at the same time that involve the website URL option, when creating any rules after the first rule, the URL list shows the list from the first rule created.

I can't tell if these issues are by design or if they're bugs.

The disappearing rules seem to happen when the rules are in conflict of one another, but I can't seem to duplicate it consistently. Will play with some more.

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: access restrictions rules

Post by Eric »

The two issues you note, are definitely bugs. They have been fixed in the svn (r118), and I have also uploaded ipk packages that include this fix, if you want to try it. You can install gargoyle packages using the instructions found in the install guide.

I haven't been able to replicate the rules disappearing, but if you find a configuration that consistently causes problems, please let me know.

I am reluctant to implement a "true whitelist" feature as you suggest. The reason is that while in some situations, as you describe, this simplifies the configuration, it is POSSIBLE to do the same thing with the features currently available, even if it is slightly more complex. However, adding this feature would make it more difficult, especially for novice users, to understand how to use the interface. This way, the user does not have to worry about the order of the rules, and yet another configuration option (there are already a lot of options on the page). So, by doing this I would be making things a little simpler for advanced users at the expense of making things harder for novice users. Since it's still possible to do what you want to do with the current user interface, just a little more involved, I don't think this is a good trade-off.

FRiC
Posts: 62
Joined: Sat Sep 27, 2008 8:03 am
Contact:

Re: access restrictions rules

Post by FRiC »

Thanks, two UI issues as repoted have been fixed.

Regarding the whitelist, I agree that a "whitelist" could potentially be confusing to a novice user if hidden inside the "restrictions" page, but right now Gargoyle is the only third party firmware with whitelist implemented, and if you follow the forums on other sites, you'll see that there are thousands of requests for a whitelist feature in all the major third-party firmware. Whitelist is often not available even on much larger routers.

There are also some scenarios that would become unnecessarily complex if a whitelist is not used. Such as different groups of users with different levels of restrictions, but all needing to access a single resource, such as the antivirus update site I mentioned earlier. Also, without whitelist, there would no way to allow downloading a particular file type, such as .exe, from a single site, while blocking all others.

Please do consider adding whitelist into the GUI.

P.S. while writing this I notice access restrictions only works on IP's. Will you also consider supporting MAC addresses?

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: access restrictions rules

Post by Eric »

As of svn r161 these features have been implemented.

Post Reply