1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

AiProtection & URL Filter — am I using it wrong?

Discussion in 'ASUSWRT - Official' started by Sky, Dec 13, 2019.

  1. Sky

    Sky Occasional Visitor

    Joined:
    Jul 19, 2018
    Messages:
    34
    Location:
    PDR of California
    Greetings, All.

    I am trying to figure out if I am just spinning my wheels, wasting time, and worse — wasting precious memory on my router, or if what I'm doing is actually worthwhile. I suspect I'm simply duplicating an already working system and maybe even causing it to be less efficient than designed.

    AiProtection seems to be working well for us. I routinely check it and see many attacks thwarted. The log of those attacks reflects the originating IP addresses. Firewall > URL Filtering allows filtration by URL, but also by IP, including whole huge swaths. Filter an entire country? Sure!

    So of course, I do. And I felt really, really good about it, until the list grew to about 35 IPs & ranges. Now I'm beginning to wonder just what I hath wrought. :confused:

    Is there any benefit to entering some of these origin IPs into my URL Filtering list? Or is it just — silly?

    Thanks for any input, for I am — and most probably always will be — still a noob.

    Sky
     
  2. dave14305

    dave14305 Very Senior Member

    Joined:
    May 19, 2018
    Messages:
    1,766
    Location:
    USA
    URL Filtering is less effective nowadays with the proliferation of https. Things that are encrypted can’t be filtered. Only old-school http URLs can be filtered and those are now harder to find.
     
  3. Sky

    Sky Occasional Visitor

    Joined:
    Jul 19, 2018
    Messages:
    34
    Location:
    PDR of California
    So…

    Does this mean: "Sky, you're using it wrong. If AiProtection is already seeing — and stopping — those IPs from attacking you as witnessed by the Two-Way IPS log, then there is no reason to populate the URL Filter with those same IPs or even IP ranges gleaned from reviewing the log. It's just a waste of your router's precious memory."
    OR
    Does it mean: "Using URL Filter to block IP ranges the way you're doing it will effectively supplement AiProtection and make your system more secure. But, using it for the individual IPs when AiProtection is already seeing them is a waste of router memory."
    OR
    Does it mean: "Say, that's a great idea! It should work really well — but be careful about blocking ranges. You can easily block entire countries, even continents."

    Signed,
    Confused Sky
     
  4. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    10,234
    Location:
    UK
    Yes, you're using it wrong.:D (Sounds like an Apple excuse ;))

    You are talking about two different things. The URL filter was never meant to be used as (and isn't) a form of firewall/IDS/anti-virus. It was designed as as crude way to block http requests to certain websites, e.g. perhaps your kids were spending too much time on http://lego.com ? As mentioned above, URL filtering is mostly ineffective nowadays because almost everything is using https.
     
  5. Sky

    Sky Occasional Visitor

    Joined:
    Jul 19, 2018
    Messages:
    34
    Location:
    PDR of California
    Excellent! Thank you for setting me on the right path. You wouldn't believe how much time I've wasted with this.

    Thank you, thank, thank you!!
     
    L&LD likes this.
  6. dosborne

    dosborne Senior Member

    Joined:
    May 11, 2019
    Messages:
    397
    Location:
    /dev/null
    Some deserve to be blocked :)

    I got really frustrated one day with all the hits and attempts to exploit vulnerabilities in web sites (remote Loggins, ssh sessions, port scans, etc). I wrote a script that would populate a data base with the IP of the offenders. Another program would analyse the data,consolide it and based on various rules, start blocking IPs subnets, class d ranges, class c ranges etc. It would track by date and allow a reprieve after 7 days (just trying to keep the ip table small). This table was then automatically refreshed and sent to iptables to do the blocking. Worked very well. But I live for this sort of thing. It was overkill defined.
     
  7. Sky

    Sky Occasional Visitor

    Joined:
    Jul 19, 2018
    Messages:
    34
    Location:
    PDR of California
    That's pretty much where I've been except your method is W-A-Y cooler! I would have totally done this if I'd had a clue how to write & implement it. I'd have called it Forrest and just let it run and run and run.

    If they're not dead, it's not overkill. ;)