I suspect that you'll have better luck coming up with a regex to use with the website/URL filter on the restrictions page. My understanding is that you want to create a regex to limit google searches that don't use safe search. Since this is URL matching, and not whole page matching it makes more sense to do it this way. L7 filters match entire content of packets, so it will be harder to use an L7 filter than a URL match.
In any case, either way is going to suffer from the problem of encrypted (https) connections not being matched properly. So, be aware that this might not be the best way to do what you want. A proxy is really the best way to go, if you can get one set up.
L7 Protocol Enhancement
Moderator: Moderators
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
Thanks for your comment Eric. It's nice to have confirmation that I'm on the right track.
Rather than being a problem I see this as a benefit. I'm seeking to implement a simple "information only" network that would be safe for kids to use. So in this scenario transparency is a desirable and blocking all encrypted connections is actually a design goal. Also a proxy server would be unnecessary and too costly (and complex) to be attractive to most families.In any case, either way is going to suffer from the problem of encrypted (https) connections not being matched properly. So, be aware that this might not be the best way to do what you want. A proxy is really the best way to go, if you can get one set up.
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
Oops. Perhaps I should investigate things a little more before I get carried away with postings regarding "little" projects such as Safe Search. On the other hand I don't suppose there's a lot of harm in leading people down dead end paths. In my experience you often need to go down a lot of dead end paths before you find what you're after.
What am I on about? I expected that a simple look at the URL Address Window in my browser would reveal that "&safe=strict" was appended to the address when Google's "SafeSearch Strict" option was selected. However this is not the case. The URL address remains the same regardless of which Filtering setting is selected.
So my plan to use the website/URL filter on the restrictions page won't work. Therefore I would need to use L7 pattern matching as suggested by pbix after all.
Unless someone with a lot more skill than me is willing to give it a go, don't expect to read anything more on my "little" project for a while.
What am I on about? I expected that a simple look at the URL Address Window in my browser would reveal that "&safe=strict" was appended to the address when Google's "SafeSearch Strict" option was selected. However this is not the case. The URL address remains the same regardless of which Filtering setting is selected.
So my plan to use the website/URL filter on the restrictions page won't work. Therefore I would need to use L7 pattern matching as suggested by pbix after all.
Unless someone with a lot more skill than me is willing to give it a go, don't expect to read anything more on my "little" project for a while.
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
After playing around with Wireshark for a bit I decided to pull the plug on my Safe Search project. I'll just use http://www.safesearchkids.com/index.html and set the webiste/URL Firewall Restrictions accordingly.
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
I'll thinking it would be useful to persue my initial quest to discover the Google SafeSearch pattern.
Why?
As I've stated my goal is to provide an information only network that is safe for kids where all data is transmitted "in the clear" (ie. as cleartext).
In another post I describe how a user can bypass Firewall Restrictions simply by establishing a VPN. I've come to the conclusion that the only way to ensure that data can only be transmitted as cleartext and is also safe for kids to access is to only permit access to cleartext only services that are also safe for kids. So far the only way I've found of achieving this objective with 100% certainty using Gargoyle is to only allow users to connect to predetermined URLs or domains. I'd be happy for anyone to tell me there are other ways.
What has this got to do with Google SafeSearch?
Because unlike other SafeSearch products Google SafeSearch is linked to Google's cache of web pages. So I figure that if users could only access Google SafeSearch and via links from this service to webcache.googleusercontent.com (the Google Cache) it would be a simplest way to realise my goal.
PS. Once I understand the pattern and work out a satisfactory regex I will implement a website/URL filter as recommended by Eric.
Why?
As I've stated my goal is to provide an information only network that is safe for kids where all data is transmitted "in the clear" (ie. as cleartext).
In another post I describe how a user can bypass Firewall Restrictions simply by establishing a VPN. I've come to the conclusion that the only way to ensure that data can only be transmitted as cleartext and is also safe for kids to access is to only permit access to cleartext only services that are also safe for kids. So far the only way I've found of achieving this objective with 100% certainty using Gargoyle is to only allow users to connect to predetermined URLs or domains. I'd be happy for anyone to tell me there are other ways.
What has this got to do with Google SafeSearch?
Because unlike other SafeSearch products Google SafeSearch is linked to Google's cache of web pages. So I figure that if users could only access Google SafeSearch and via links from this service to webcache.googleusercontent.com (the Google Cache) it would be a simplest way to realise my goal.
PS. Once I understand the pattern and work out a satisfactory regex I will implement a website/URL filter as recommended by Eric.
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
When I tried adding a new rule based on HTTP Video I get a message that says:
"There is an error in Application (Layer7) Protocol. Could not add classification rule."
Any suggestions as to what I could be doing wrong?
"There is an error in Application (Layer7) Protocol. Could not add classification rule."
Any suggestions as to what I could be doing wrong?
Re: L7 Protocol Enhancement
That is a new bug in v.1.3.5. You can find a patch here
http://www.gargoyle-router.com/phpbb/vi ... &sk=t&sd=a
Or you can go back to v1.3.4
http://www.gargoyle-router.com/phpbb/vi ... &sk=t&sd=a
Or you can go back to v1.3.4
Linksys WRT1900ACv2
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
Netgear WNDR3700v2
TP Link 1043ND v3
TP-Link TL-WDR3600 v1
Buffalo WZR-HP-G300NH2
WRT54G-TM
-
uncle john
- Posts: 146
- Joined: Sun Jun 21, 2009 11:27 pm
- Location: Australia
Re: L7 Protocol Enhancement
Thanks pbix 