1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Some interesting Access Restriction results possible bugs

Discussion in 'Tomato Firmware' started by xtacydima, Apr 21, 2011.

  1. xtacydima

    xtacydima LI Guru Member

    I been playing with blocking certain websites for known social networking and such in access restrictions, to set up at my friends office for certain employees.

    So to experiment, I first tried it at home, and I added a few items to the http block list, and I also enabled logging of access connections blocked in the logging information for inbound/outbound traffic. This way I can see whom tried to get to certain websites.

    Some interesting results...

    In the logs it shows the ip blocked and the ip src address.

    for example see starting cut portion of one line
    Apr 21 01:47:13 unknown user.warn kernel: REJECT IN=br0 OUT=vlan2 SRC= DST=

    Now here is the funny part, some sites get blocked in full, but some can still be accessed by IP.

    For example, cnn.com - I can get to cnn.com by its ip ( although the dns name is blocked and I can even navigate around via IP. This does not work for all websites, and so far I only found this to be buggy with cnn.com although I only been playing with the feature for 20min. For example it did nto work with [facebook] as it was blocked by its IP.

    I never visited cnn.com before on this PC, and I know its not cached, also, I was able to navigate through the site by clicking any link within cnn and seeing current info.

    I was just wondering if anyone else can replicate this, and also, is it a bug?
  2. phuque99

    phuque99 LI Guru Member

    Access restrictions block by looking at alphabet strings on layer 7. If you access cnn.com via IP, traffic that passes through your router will not contain the string that will match your access restrictions.
  3. TT76

    TT76 Networkin' Nut Member

    That restriction just checks host and get fields in http head and post content. In your case, the content of host field is ip address but cnn.com. So that access can't be restricted. You can use the command "nslookup cnn.com" to find all ip address' of this domain name and restrict them.
  4. xtacydima

    xtacydima LI Guru Member

    Thanks for all the replies everyone.

    Yes I thought of an nslookup and ended up doing that already.

    In any case, I just wanted to post about this to make sure it wasn't a bug of how access restrictions works that was overlooked.

Share This Page