Suggested Feature: Blocked Pages Notification

[uncle john]

I notice that when you try to access a restricted URL you are simply presented with a blank page. It would be useful to let the user know why they are not gaining access.

Following are two examples of how this is currently accomplished in other systems:
1. In the OpenDNS system they present you with a brief explanation and some paid adverts (that's how they generate income).
2. In the Privoxy sytem you are presented with page which includes a "see why this block applies" link. This linked page is very technical and totally incomprehensible to the average user.

Request blocked (Privoxy@localhost).JPG (120.8 KiB) Viewed 14521 times

Suggested Feature:
Gargoyle presently shows users a page that displays quota usage.
I suggest that a brief explanatory note about Access Restrictions could be included in this page too.
This page would automagically appear whenever a user tried to access a restricted URL.
I suggest this page should include a "see why this block applies" link to a web page residing "in the cloud" that would give a more detailed explanation. The AP administrator would be responsible for maintaining this web page manually.

I'd welcome comments on this idea...

[Eric]

There's a reason this won't work: It requires the router to hijack a http (tcp) connection. By the time we know where a http connection is going we've already seen a few packets (syn/ack). You'd need to redirect the connection in progress which is really ugly.

The web filtering in access restrictions is useful... but the way I'm doing it has distinct disadvantages. Filtering by controling DNS is better because it allows you to redirect someone easily (just give them the wrong IP). It will also work a lot better if the connection is a https connection (right now, the current implementation does not filter those). I implemented it the way I did, by matching the content of http request packets, since that is the way both DD-WRT and Tomato do it, but now that I've had some experience with this feature I think blocking by DNS would be better.

It may be possible to redo the way I'm filtering websites by re-writing DNS rules, though this means you can only match domain and not the path (though 99% of the time we just care about the domain anyway...). However, this would allow an error message as you suggest. Also note that using DNS filtering like this will only work for filtering web sites -- if you match by IP/ layer 7 etc this won't work and you'll still just get a blank error page in your browser.

Finally, don't expect this any time soon. Doing this by matching DNS queries instead of http queries requires yet another new iptables module (that would make four new modules, unique to Gargoyle), not to mention some reworking of the access restrictions. Let's just say it's on my to-do list (which is quickly approaching the length of my arm...)

However.... I just finished implementing a feature much like what you're requesting for the bandwidth quotas. It's easier for the quotas, because it can get away with redirecting only new http connections after the quota is reached -- it doesn't have to redirect connections that are already established. In the latest SVN version (no firmware uploaded yet), if you reach your bandwidth quota and try to connect via http/https, instead of the connection just dying it redirects you to the login/quota usage page on the router. That way, there's no doubt about why you're not seeing the page you want

[uncle john]

Thanks so much for explaining the difficulties associated with my suggestion.
I've weighed up the strengths and weaknesses of the various approaches out there and I've decided to work with Gargoyle just the way it is at the moment (minus the gargoyle symbol ).
My main reason is that neither the DNS approach nor the Privoxy approach includes timed blocking (see: http://ideabank.opendns.com/story.php?t ... d_Blocking)

PS. I'm looking forward to seeing the quota/login page mods getting included in the firmware.

[uncle john]

I've been testing Firewall Restrictions. This is a great feature and I thought it would be interesting to see if it could be used in addition to OpenDNS filtering.
Sadly this does not appear to be possible. Firewall Restrictions work OK on their own but if you to implement OpenDNS filtering in addition you can't go anywhere.
Looks like separate routers are needed for these two types of filtering to be used simultaneously.

[Eric]

You should be able to use both access restrictions and OpenDNS. It may be a bug. Can you be more specific about the restrictions that you have specified that are not working?

[uncle john]

Thanks. That gives me hope. The problem is that what I call the Wikipedia (Gargoyle filter) takes forever to load pages... if at all. The OpenDNS Filter seems to work OK.
I suspect it's due to a simple mistake in settings on my part.
Here are some snap shots of my settings:

[uncle john]

Workaround. I found that if I restrict myself to the Exception options inside the Restrictions feature everything works just great.

[uncle john]

...I've decided to work with Gargoyle ...
My main reason ... [it] includes timed blocking ...

The problem with the Blacklist approach is that I can't go on to achieve the timed blocking I'd be able to achieve with the Whitelist approach (ie. block everything except for Whitelist specified destinations and periods).

[uncle john]

Eric: I've had to retract the PS I inserted a couple of days ago. As I stated initially I'm finding that can't achieve the timed blocking I'm looking for.
I guess the logic is designed more towards supporting the blacklist rather than the whitelist approach. Is there any chance this design will be revisted?

[Eric]

Yes. I just haven't gotten to it yet. A whole bunch of things have come up in the past month (many of them non-Gargoyle related), so I haven't gotten around to figuring out what is going on here, but I have no intention of ignoring the problem.

Also, it would be helpful to know whether the problem with the white list and OpenDNS occurs whether or not you have the "force use of router DNS servers" option selected. Does it fail consistently independent of how this control is set?