This will be a guide on how to configure network-level blocks to restrict malware, advertising and other unwanted media entering the network. You’ll have to reach your own moral conclusions on whether or not this is something you wish to pursue. By not allowing adverts on to your LAN, you will be depriving the sites you visit of revenue. If you are making direct payments to them via Flatter, Patreon etc then it’s probably OK.
The counter argument is that the advertising networks are an egregious invasion of privacy tracking you wherever you go on-line, a vector for malware and distracting from the content you wish to view. All well and good, but when there’s no money to support the production of said content; how happy will you be?
One thing to bear in mind is that a network-level block can’t be disabled per-site, affects every client on the network and will almost certainly break some services. If you do decide to pursue this, consider blocking only the worst offenders and running a white-list as well to permit some “advertising” services through.
Old Way
There’s one general approach you’ll find well documented for OpenWRT and for DD-WRT:
- Run a new web instance to serve a blank GIF. Use a different port or IP address
- Configure dnsmasq to block/white-list domains
- Have a firewall rule redirect requests to the new uhhtp instance.
- Have script launch everything at boot and update the lists.
This is a good guide for DD-WRT. For OpenWRT you could use this or this.
New Way
There is now an OpenWRT package to simplify this (although I still recommend reading the above guide so you understand what is happening), so we’ll go with that. For Chaos Calmer there’s no packages just yet, so ssh into the router, wget the latest git builds an install (correct at time of writing):
wget https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/packages/adblock_1.2.8-1_all.ipk wget https://downloads.openwrt.org/snapshots/trunk/ar71xx/generic/packages/luci/luci-app-adblock_git-16.171.60975-65c7610-1_all.ipk opkg install adblock_1.2.8-1_all.ipk opkg install luci-app-adblock_git-16.171.60975-65c7610-1_all.ipk
You can set which lists you want to use by editing /etc/config/adblock, or by using the GUI installed above.
Various configuration defaults for the network-level block
All that remains now is to pick you list options (selecting them all will block ~80k domains), figure out which services are now broken so they can be white-listed and then set a crontab to update the block-lists. System/Scheduled Tasks and then add:
# start adblock script once a day at 0500.
#
0 05 * * * /etc/init.d/adblock start
Even though the option is “start”, it will also take care of the updates.
One interesting thing to do, is to test it. So ssh into your router if not there already and stop adblock
/etc/init.d/adblock stop
Now ping doubeclick:
ping doubleclick.com PING doubleclick.com (216.58.211.46): 56 data bytes 64 bytes from 216.58.211.46: seq=0 ttl=49 time=30.735 ms 64 bytes from 216.58.211.46: seq=1 ttl=50 time=32.105 ms
Enable adblock:
/etc/init.d/adblock start
And try to ping doubclick again:
ping doubleclick.com PING doubleclick.com (192.0.2.1): 56 data bytes ping: sendto: Operation not permitted
Here to can see the non-LAN IP address that has been resolved, this is what the script is then using to send 1×1 GIFs to your browser when on the interwebs.
Leave a Reply
You must be logged in to post a comment.