"restricted resources" question

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

Post Reply
FRiC
Posts: 62
Joined: Sat Sep 27, 2008 8:03 am
Contact:

"restricted resources" question

Post by FRiC »

I'm wondering about restricted resources item inside access restrictions. When the default "all network access" is unchecked. It shows all the different options, remote IP(s), remote port(s), local port(s), etc. And they all default to "Block All". Shouldn't that be "Block none"? And then with block all, block only, and block all except as additional options?

Also, is it feasible to block more than one application protocol at once? Say I want to block all the messenger protocols all at once?

Eric
Site Admin
Posts: 1443
Joined: Sat Jun 14, 2008 1:14 pm

Re: "restricted resources" question

Post by Eric »

No. Everything defaults to the situation where all resources are blocked.

Let me give you an example. Let's say you only want to block all access to/from remote IP 1.1.1.1. So you go in and specify "block only" for the remote IP, and everything else is "block all" by default. You will want "Block All" for both remote and local ports -- you want to block all ports on that IP. Same with Transport protocol -- you want to block UDP and TCP and ICMP. So, you're all set -- to do this you only need to specify "block only" for the remote IP, everything else should be "block all" In this scheme it makes most sense for everything to default to "block all", otherwise if you only want to match one criteria you have to reset most fields

Think of the rule as a giant if statement with each clause connected by "AND" with each control defining one clause. The controls that allow multiple ips/options (e.g. local ip, remote ip, web url), are internal clauses connected by OR statements that are inside one of the clauses connected by AND. If the statement returns true, the resource is blocked.

It may be possible to update it to allow matching multiple layer7 protocols. I'll see.

Btw... the biggest way I managed to increase performance/decrease memory was by making ABSOLUTELY sure to minimize the number of layer7 matching rules to the bare minimum possible given the configuration. The more layer7 matches you have the more memory problems you're going to see -- they're a HUGE drain.

FRiC
Posts: 62
Joined: Sat Sep 27, 2008 8:03 am
Contact:

Re: "restricted resources" question

Post by FRiC »

Thanks for the reply. I understand the reasoning of "Block all" now.

Actually, for L7, I only need to block Live Messenger and Yahoo! Messenger. After I posted, I noticed Yahoo! isn't even included as one of the L7 protocols. :roll:

Post Reply