Domain denial
Ufw (Uncomplicated Firewall) is a powerful firewall and can be used to block access to certain websites. Although you can also do this with dnsmasq, this would be a form of “DNS hijacking”, which is a rather dastardly procedure usually carried out by scammers.
The advantage of using Ufw is that it blocks domains by IP address. This means you have to write down only one rule per address rather than remember the various domains and subdomains used by sites. Imagine trying to block every variant of Facebook.com, for instance – fb.com, m.facebook.com...
It stands to reason, then, that to block websites by IP address you’ll need that information. Open Terminal on your Pi or connect via SSH and use the host command to view an objectionable page’s IP address – for instance: host strawberryfunk.com
This will output the IP address of the site in question. Next, use ufw deny to block this domain – for example: sudo ufw deny out from any to 205.178.189.29 You can check that the domain has successfully been blocked by using ping : ping -c 1 strawberryfunk.com If you have set up Ufw correctly, ping will report that the domain is unreachable.
Ufw can also block outgoing connections to certain ports. For instance, if you want to reduce the chance of your Pi being used to send spam messages, you can disable Port 25 with the following: sudo ufw deny out 25
internet. If you need to double-check the names of your interfaces, you can run the command ifconfig at any time. By default the names of these interfaces should be “wlan0” and “eth0” respectively.
If you’re unable to plug the Pi into a router, theoretically you could add another wireless interface such as the official Raspberry Pi Wi-Fi module and use it to access your router’s wireless network. However, this is less secure and will reduce your connection speed. If your router is somewhere hard to reach (or actually out of range), consider using a “homeplug” style device which uses the power lines in your home or office for network connections.
Don’t despair if the Access Point or the firewall don’t work the first time you go through the steps. The Pi’s network settings are very flexible, so you can usually go back over the steps again without having to reinstall Raspbian.
If you’re using a Wi-Fi driver besides that built into the Pi 3 or the official Raspberry Pi Wi-Fi adaptor then you may have to change the “driver=” value in hostapd.conf. For information visit http://linuxwireless.org/ en/ users/ Documentation/hostapd. You can disable the Ufw firewall permanently and delete all rules with the following command: sudo ufw reset
If necessary, you can also restore the settings you previously backed up with dnsmasq by reversing the original command: sudomv/etc/dns ma sq. conf. orig/ etc/dns ma sq. conf
If you choose to block specific ports or services − see the Domain Denial boxout ( belowleft) − then bear in mind that IT-literate users on your network may bypass this through the use of a VPN. You can, of course, use Ufw to block the ports commonly used by VPNs, such as 1154, or block all outgoing traffic and then enable it for specific applications and services. Some applications will randomise the ports used, making it difficult to lock down specific protocols like BitTorrent. You might consider disabling UDP (User Datagram Protocol) if you want to prevent streaming of most music and video sites. If you choose to use a browser extension or pixelserv to block ads, then certain sites may display incorrectly or fail to load altogether. If this happens, adblocking extensions can usually be disabled temporarily by clicking their icon in your browser’s menu bar.
For security reasons, it would be wise to use a dedicated Pi exclusively as an Access Point and avoid placing any personal data on it. For extra safety, make sure to use a long, robust password – the one in the tutorial is only by way of example.
For the uber-cautious, consider creating a hidden Wi-Fi network for the Pi. Edit the hostapd.conf file by opening a Terminal and typing: /etc/hostapd/hostapd.conf
Change“ignore_ b road cast_s sid =0” to“ignore_ broadcast_ ssid=1”.
From now on all devices will have to enter the name of the network as well as the password in order to connect. Consider setting a new name when editing the file, for an extra level of security
If you have devices using a cabled connection like a home server, you can continue connecting these directly to your router for internet access, but bear in mind that they won’t be visible on the Pi’s wireless network. This works both ways, however: the Pi won’t interfere with their operations at all.
Finally, bear in mind that your router may also use a firewall. If you’re comfortable with configuring your router, you can choose to open and close ports to match Ufw’s settings. Alternatively,s you can disable the router’s firewall altogether and let the Pi manage everything. LXF