Linux Format

Domain denial

-

Ufw (Uncomplica­ted Firewall) is a powerful firewall and can be used to block access to certain websites. Although you can also do this with dnsmasq, this would be a form of “DNS hijacking”, which is a rather dastardly procedure usually carried out by scammers.

The advantage of using Ufw is that it blocks domains by IP address. This means you have to write down only one rule per address rather than remember the various domains and subdomains used by sites. Imagine trying to block every variant of Facebook.com, for instance – fb.com, m.facebook.com...

It stands to reason, then, that to block websites by IP address you’ll need that informatio­n. Open Terminal on your Pi or connect via SSH and use the host command to view an objectiona­ble page’s IP address – for instance: host strawberry­funk.com

This will output the IP address of the site in question. Next, use ufw deny to block this domain – for example: sudo ufw deny out from any to 205.178.189.29 You can check that the domain has successful­ly been blocked by using ping : ping -c 1 strawberry­funk.com If you have set up Ufw correctly, ping will report that the domain is unreachabl­e.

Ufw can also block outgoing connection­s to certain ports. For instance, if you want to reduce the chance of your Pi being used to send spam messages, you can disable Port 25 with the following: sudo ufw deny out 25

internet. If you need to double-check the names of your interfaces, you can run the command ifconfig at any time. By default the names of these interfaces should be “wlan0” and “eth0” respective­ly.

If you’re unable to plug the Pi into a router, theoretica­lly you could add another wireless interface such as the official Raspberry Pi Wi-Fi module and use it to access your router’s wireless network. However, this is less secure and will reduce your connection speed. If your router is somewhere hard to reach (or actually out of range), consider using a “homeplug” style device which uses the power lines in your home or office for network connection­s.

Don’t despair if the Access Point or the firewall don’t work the first time you go through the steps. The Pi’s network settings are very flexible, so you can usually go back over the steps again without having to reinstall Raspbian.

If you’re using a Wi-Fi driver besides that built into the Pi 3 or the official Raspberry Pi Wi-Fi adaptor then you may have to change the “driver=” value in hostapd.conf. For informatio­n visit http://linuxwirel­ess.org/ en/ users/ Documentat­ion/hostapd. You can disable the Ufw firewall permanentl­y and delete all rules with the following command: sudo ufw reset

If necessary, you can also restore the settings you previously backed up with dnsmasq by reversing the original command: sudomv/etc/dns ma sq. conf. orig/ etc/dns ma sq. conf

If you choose to block specific ports or services − see the Domain Denial boxout ( belowleft) − then bear in mind that IT-literate users on your network may bypass this through the use of a VPN. You can, of course, use Ufw to block the ports commonly used by VPNs, such as 1154, or block all outgoing traffic and then enable it for specific applicatio­ns and services. Some applicatio­ns will randomise the ports used, making it difficult to lock down specific protocols like BitTorrent. You might consider disabling UDP (User Datagram Protocol) if you want to prevent streaming of most music and video sites. If you choose to use a browser extension or pixelserv to block ads, then certain sites may display incorrectl­y or fail to load altogether. If this happens, adblocking extensions can usually be disabled temporaril­y by clicking their icon in your browser’s menu bar.

For security reasons, it would be wise to use a dedicated Pi exclusivel­y as an Access Point and avoid placing any personal data on it. For extra safety, make sure to use a long, robust password – the one in the tutorial is only by way of example.

For the uber-cautious, consider creating a hidden Wi-Fi network for the Pi. Edit the hostapd.conf file by opening a Terminal and typing: /etc/hostapd/hostapd.conf

Change“ignore_ b road cast_s sid =0” to“ignore_ broadcast_ ssid=1”.

From now on all devices will have to enter the name of the network as well as the password in order to connect. Consider setting a new name when editing the file, for an extra level of security

If you have devices using a cabled connection like a home server, you can continue connecting these directly to your router for internet access, but bear in mind that they won’t be visible on the Pi’s wireless network. This works both ways, however: the Pi won’t interfere with their operations at all.

Finally, bear in mind that your router may also use a firewall. If you’re comfortabl­e with configurin­g your router, you can choose to open and close ports to match Ufw’s settings. Alternativ­ely,s you can disable the router’s firewall altogether and let the Pi manage everything. LXF

?? ?? Use ping to check that a domain has been successful­ly blocked. Some websites have more than one IP address, so block each of these in turn.
Use ping to check that a domain has been successful­ly blocked. Some websites have more than one IP address, so block each of these in turn.
?? ?? Connecting to a hidden network makes life only slightly more difficult for other network users but much harder for hackers, because they need both the network name and password.
Connecting to a hidden network makes life only slightly more difficult for other network users but much harder for hackers, because they need both the network name and password.

Newspapers in English

Newspapers from Australia