Gargoyle Forum

Hello, I'm new to Gargoyle but I've read a lot of nice things about it and decided to try it out... So, long story short:

I am using a TP-LINK TL-WR1043ND router with the "gargoyle_1.3.16-ar71xx-tl-wr1043nd-v1-squashfs-factory.bin" firmware.

Here is what I am trying to accomplish:
Block all websites via URL access and only allow one or two URLs.
For example: anyone behind the router can only go to google.ca, google.com, and gargoyle-router.com.
All ports and everything else should remain open. For example I'd like Skype to keep working without adding extra rules, if that's possible.

Here's what I have setup:
A "Block All" rule in "Access Restrictions",
and a whitelist:


Now here are my problems which I'm hoping someone can help me out with:
1) I can't access "https" websites such as "https://www.google.com" even though "google.com" is part of the whitelist.
2) None of my 'internet' applications, such as Skype, work.

Now if someone can help me, most importantly, with problem #1, I'll be extremely grateful. If there's an easy solution for problem #2, that's a bonus .

http://www.gargoyle-router.com/phpbb/vi ... =460#p2368

See that post from Eric.

It's usually better to use the IP's instead of the URL.

The problem with that solution (if I understand correctly) is that it is for a black list. What I am trying to accomplish is block all URLs (and only the URLs) except the ones in the white list.
I was following this thread for reference:
http://www.gargoyle-router.com/phpbb/vi ... ?f=5&t=292

P.S. Thanks for the quick reply =).

From the thread I posted:

"I suspect the problem is that you can't block encrypted (https) connections by domain name. The connection is encrypted so you
can't tell whether you're connecting to a given site. "

I think you have to use the IP range for any encrypted locations
(https:// sites) whether or not you do blacklist/whitelist.

I never use these myself, have only tested, but I'll try to configure
some over the weekend and verify.

For the skype / chat stuff, I don't think you need to add sites,
I think you just need to whitelist the applicable TCP/IP ports used.

Hmm, yeah I'll have to play with that as well... unfortunately I won't be able to until Tuesday as I'll be gone for the weekend. I was hoping for an easier solution where I just type in a few URLs I want to allow and block everything else lol. Oh well as long as we figure out how to make it work in the end I don't mind poking around =P.
As for applications, I'm confused about that part because in my white list I have all ports and protocols set to "Permit All" so in theory they should be working, not sure but this may be a bug.
Actually now that I think about it, can I assume that the HTTPS and the applications not working even though "Permit All" is set are both bugs? Or am I just pulling a silly with the configurations? =)

Regardless thanks for the help so far, your time is greatly appreciated =).

Hmm I'm still having no luck with this configuration. When I try to add IP ranges, I used google's for example, it starts blocking google completely where before at least any google website would work except the SSL/HTTPS website.
If anyone's had luck with creating a configuration that consists of a whitelist that allows SSL/HTTPS to work, please post the steps/screenshots of how you accomplished it, it would be very much appreciated!

Thanks,
-ATH

Hello again, I don't mean to bump this thread if it's already been looked at but if at all possible could I get an official word from a dev or someone that's aware of this if it's a known issue or am I doing something wrong? And if it's a know issue is it being worked on or is it backlogged until more important issues are solved?
For clarification purposes, all I want is to filter HTTP URL traffic to only allow google.com and block all other URLs, all IPs should be allowed and all ports should be open. I'm fine if someone uses HTTPS to access a website whose URL is normally blocked when accessed via HTTP.
Thanks again!
-ath

ath: What you want can be accomplished, but you should use a rule in the Restrictions/Blacklist section , not the Exceptions/Whitelist section.

The problem is that while it is possible to match all https connections by matching for port 443, it is NOT technically possible to match https connections by destination website. This is not a bug -- it is a technical limitation due to the encryption used by https. The encryption keeps the connection secure, which is the main feature of HTTPS connections. Due to this limitation the url matching function ONLY works on http and not https connections.

So... use a restriction/blacklist rule and specify the rule for website URLs to "block all except" a specified list of URLs. If you do this, those URLs will be allowed and all others will have HTTP access blocked, but HTTPS access to any site will be allowed. If that's the only rule you set, all other services should function normally.

Thank you very much for your reply, I will try this as soon as possible. At the moment the router is not with me, but next time I have it in front of me I'll try your steps.
Much appreciated ,
-ath

Hello again, so I've finally got my hands on another WR1043ND and installed 1.4.2 on it. When I tried your steps I've ran into a somewhat unavoidable problem:



As you can see, under "Restricted Resources" if I want to only block URLs I don't have an option to not block everything else. Now I can work around IP blocking and Port Blocking by specifying some random address or port I know won't be used, but there's no getting around Blocking a Transport Protocol as my only options are to block all, or block either TCP or UDP.
Is it somehow possible to configure these rules to allow all and only select "Block All Except" for the URLs? Perhaps having check boxes for each rule?

Cheers,
-ATH