Tuesday, February 17, 2009

Packet Protector

A friend recently purchased an ASUS WL-500g Premium V2 wifi router and installed PacketProtector on it for his mom. She wanted some filtering for the household internet connection, and my buddy thought that this would be a nice self-contained, stand-alone, hard-to-bypass solution for her and the fam. So far it seems to be all of that.

I got to thinking about my own curious boys and wondering if I might want some DansGuardian filtering on my own internet connection. I've been pretty anti web filter ever since I discovered the web, mainly because I've been successful at avoiding and ignoring bad stuff on my own, and have only been annoyed by filters that always seem to block useful pages right when you need them. I've realized lately, though, that without even thinking about it very much, I really don't let my kids online at all. I think it's because I know that they won't be able to avoid all the bad stuff, and I fear they won't ignore and quickly move past it like a well disciplined adult (ha!) would. That's a shame though. My 8-year old has a lot of curiosity and questions about how things work and why things are the way they are, and doing a little internet research insteading just bugging asking Mom and Dad would do him a lot of good. I don't think he even knows how to google. I started to think that some filtering might set us free at our house.

With that all in mind, I got online and my own ASUS router arrived a few days ago as I had just started reading up on PacketProtector. Installing it was a little tricky but not too bad. They key for me was the openwrt wiki page on using tftp. That ifconfig command to get the network settings correct was what I had missed at first.

Once packetprotector was all up and running with the USB stick, it was time to config it. There is very little documentation, so I thought I'd better write down what I went through.

To get to the web interface I had to make sure and use https, not http, and then the same username and password that you use for ssh to log in.

Wireless is off by default. I turned it on, but still couldn't get connected. I tried without any encryption. Then I changed it to a 128-bit WEP key instead of a 40-bit key and my Intrepid Ibex box connected just fine. Interesting.

Dansguardian is off by default. Enable it under the Proxy menu. You can test its basic operation by visiting this website that has, " a DG score of 475 since it mentions bypassing DG."

Poking into the dansguardian config files, I noticed that pretty much everything but the weighted phrase lists were commented out. I asked my buddy about this, and he asked if I had noticed that it was using OpenDNS (I suggest reading the wikipedia entry on OpenDNS as well). It seems that, maybe to save the router some work, OpenDNS is relied upon for blacklisting instead of DanGuardian. I signed up for an OpenDNS account and that seems to work pretty well. Well enough that I wonder if I even need this fancy router setup.

Other things that Packet Protector does is clamav and snort scanning of your network traffic. I was noticing some increased latency in my browsing with both of those turned on, so I disabled clamav and things seemed to speed up (I rarely use windoze at home and feel plenty safe without it). My friend forwarded me this Packet Protector performance report, which seems to contradict my unscientific findings, but oh well. Maybe I'll try his test myself, but overall I'm with the others on that forum thread. This is all running on only $90 of hardware. It can be excused for being a little slow.

Packet Protector needs some serious documentation help. The web-based configuration could really use some help too. I think it's a great idea though, and I think I'll stick with it. I can tell that the filtering isn't perfect, so I'll still need to have some Fatherly Chats with my son before (and after) setting him free on the internet. Since he and I both just love having those, hopefully some filtering will lessen the need for them at least a little.

4 comments:

Alex Ott said...

Dansguardian is very good in concept, but very bad in source code :-(
there are lot of memory leaks, and insecure data handling, and it could be easely DoSed or hacked

Bryan said...

Alex, I'd never heard that before. Do you have some pointers to where I could learn more about these shortcomings? Do you have a better recommendation?

Alex Ott said...

2Bryan: i spent long time trying to fix many of these issues, so i know the code...
From my point of view, for must of cases, squidguard is enough.
And for malicious sites, firefox has built-in support for google's safe browsing api

Anonymous said...

very old post but page one on google so still reliant today.

Alex's comments should be taken with a pinch of salt. For a cheap home router I dont think you need to worry about DoS / hack issues. The end of the day its your family your talking about and have access to more important things than the internet.