• How to allow or block web sites on the router


    The pcWRT router gives a lot of flexibility for configuring allowed or blocked web sites. You can allow or block a URL, a subdomain, a domain, a certain port on a domain, a port, or a port for a specific protocol.

    1. URL Filter Mode

      For URL Filter Mode, you can choose “Black List” or “White List”.

      If you choose “Black List“, the domains or URLs listed in the “Blocked URLs” box will be blocked. Everything else is allowed. And in general, yo don’t need to list the domains or URLs you want to allow in the “Allowed URLs” box.

      Unless the domain is blocked by the DNS service you choose (for example, OpenDNS). Then there’s no need to enter the domain into the “Blocked URLs” box if you want to block it. But if you want to allow a domain blocked by DNS, you do need to enter it in the “Allowed URLs” box to override the DNS block.

      If you choose “White List“, only the domains or URLs listed in the “Allowed URLs” box will be allowed. There’s no need to enter a domain or URL in the “Blocked URLs” box in order to block it. Unless you want to block a subset of what’s listed in the “Allowed URLs” box.

    2. What to enter in Blocked URLs or Allowed URLs

      You can enter the following things in the “Allowed URLs” or “Blocked URLs” box, one entry per line.

      • A domain name, such as: www.google.com. This will allow/deny access to www.google.com for all ports.
      • An upper level domain name, such as google.com. This will allow/deny all Google domains, including www.google.com, docs.google.com, m.google.com etc.
      • A top level domain name, such as com. This will allow/deny all domains under .com, such as google.com, bing.com, cnn.com, facebook.com, etc.
      • A URL, such as http://www.yahoo.com. This will allow/deny www.yahoo.com over HTTP only. It will not affect other protocols such as HTTPS (i.e., https://www.yahoo.com).
      • A URL with a path, such as http://www.yahoo.com/block/this/path. This will allow/deny the specified path on http://www.yahoo.com only. It has no effect on other paths on www.yahoo.com, or other protocols such as HTTPS. Because the path is encrypted for HTTPS, entering a path with HTTPS has no effect, i.e., the router will behave as if the entry does not exist.
      • A domain name with a port, such as m.google.com:80. This will allow/deny access to m.google.com on port 80, for both TCP and UDP.
      • A domain name with a port and protocol, such as time.windows.com:123U. This will allow/deny access to time.windows.com on UDP port 123. Or, if you enter time.windows.com:123T, then it will allow/deny time.windows.com on TCP port 123.
      • If you want to allow/deny connection over a certain port, but do not want to specify a specific domain, then you can enter the port only. For example, :123U will allow/deny UDP port 123, :23T will allow/deny TCP port 23, :53 will allow/deny port 53 on both TCP and UDP.
      • You may also enter a port range. For example: :3000-4000, :3000-4000U, somedomain:3000-4000T, etc.
    3. Partial (or approximate) domain matching
      Instead of doing an exact domain match, you can enter a pattern to match domain names “approximately”. Just start the entry with the “approximate” sign ~. For example, if you enter ~pinterest. in the Black List, all pinterest domains will be blocked (i.e., pinterest.com, pinterest.es, pinterest.jp etc.).

      In fact, you can enter a POSIX Extended regular expression after the tilde. Except that the meaning of . is reversed, i.e., . matches the literal dot, while \. matches any one character. The above example can be more accurately written as ~^pinterest.

      Correction: The expression ~^pinterest. actually does not block Pinterest, because Pinterest web sites are accessed via www.pinterest.xx. The character “^” matches the “beginning of line”, thus ~^pinterest. will not match www.pinterest.xx. The proper expression should be ~\<pinterest., where “\<” matches the “beginning of a word”.

    4. Add entries to the black list as Ads
      As of release v2.1.0, you can add an entry to the black list and flag it as ad. This works for exact domain matching and “approximate” (i.e., regex) domain matching. Simply append “!A” to the end of the entry.

      For example, if you want to block “ads.somedomain.com” as ad, you’d enter “ads.somedomain.com!A“. Without the “!A” suffix, the entry would be a normal block. With it, the entry is an ad block.

      These are the differences between a normal block and an ad block:

      • The former is reported as “Blocked” in the Internet logs while the latter is reported as “Ad”.
      • When you pause Ad blocking, ad blocks listed in the black list are bypassed.
      • You only need to add ad block entries to the Default profile. And it works for all profiles.
    5. How is block or allow determined?
      When a client device requests a URL, the router goes through the entries entered in both Allowed URLs and Blocked URLs to find the most specific match, and then determine to allow or deny access based on the URL Filter Mode. These are the rules:

      • The more specific entry wins over a less specific entry. For example, suppose you entered www.yahoo.com in Allowed URLs, but https://www.yahoo.com in Blocked URLs. When a device requests https://www.yahoo.com, it is blocked. But if http://www.yahoo.com is requested, it is allowed, because the more specific entry does not match.
      • Port takes precedence over domain. For example, suppose you entered www.google.com in Allowed URLs, but :80 in Blocked URLs. When a client requests http://www.google.com, it will be blocked. Because both entries match and the port entry takes precedence. But if a client requests https://www.google.com, it will be allowed because the port rule no longer matches.
      • Blocked URLs override Allowed URLs. You’ll never enter the same entry into both boxes, so one will always win over the other by being more specific or having higher precedence. But in case you have identical entries in both, the Blocked URLs entries override the Allowed URLs entries.

     

    As always, you don’t have to use all available options. In most cases, it suffices to simply enter domain names in either Allowed URLs or Blocked URLs. But in case you need more fine grained control, you are empowered to do so.

4 Responses so far.

  1. Casino says:

    Great guide, but i have a problem with the partial domain. Can you describe it better?

    For example, if i want to block “pinterest”, what i have to write? ~pinterest or ~^pinterest”?

    What’s the difference?

    I read the link you posted about BSD but it’s difficult.

    Can you extend the paragraph to better describe it, with much more example?

    What are all the possibility that you give us for to block a partial domain?

    What other characters, other than ~ and ^ can i put? Can you make an example one by one?

    I need to understand this thing, thanks.

    • pcwrt says:

      Regular Expression is very powerful but it could be overwhelming to a beginner. Even the pros find it difficult sometimes. The good news is, most of the times you don’t need to use its full power.

      Without the beginning tilde, the black/white list does exact match as usual. With the beginning tilde, it does the “approximate” match by matching the entered text as a regular expression.

      Take pinterest for example, if you simply enter “~pinterest”, then all domains containing the string “pinterest” will be blocked, including pinterest.com, pineresting.com, notpinteresting.com.

      If you enter “~pinterest.”, then pineresting.com and notpinteresting.com will not be blocked. But notpinterest.com is still blocked. To avoid that, you can enter “~\<pinterest.”, where the special character sequence “\<” matches the “beginning of a word”.

      However, for all practical purposes, the simple expression “~pinterest.” works well enough.

Leave a Reply