February 14, 2009

Gargoyle (access restrictions)

I first wrote about Gargoyle router management utility (beta 2) back in October last year. Since then, I've wanted to write more about it, but kept putting it off, plus the author (Eric) keeps releasing updates faster than I can write about them! Anyway, I'm now using an experimental beta 4.something, and it has a number of significant updates and bug fixes over beta 2.

The most significant new feature of the current Gargoyle beta is the access restrictions module. It is leaps and bounds above anything else out there because restrictions can be classified by IP, IP range, MAC address, port, protocol, or URL. The URL restriction can be processed by simple match, exact match, or regular expression using either the domain name part of the URL, or the full URL. Plus Gargoyle also has whitelisting (it's called Exceptions in the Garoyle UI). I'm especially happy about this feature because I threat^H^H^H^H^Hbegged Eric to have it implemented. It is essentially the same as restrictions, but works in reverse.

With the access restrictions and exceptions working hand in hand, you can create very complex access scenarios for the users. For example, you can block all downloading of .exe or .zip files to prevent users from downloading programs, but you can put in an exception for antivirus update sites, so users can still update their antivirus definitions. Another scenario is you could always allow employees/kids to access the company/school website, while other sites are allowed or blocked according to time of day. For me, my users often need to download files from government websites, which for some stupid reasons are always compressed self-extractable files. So for me, I block users from downloading all .exe files, but put in an exception for *.go.th sites.

The current beta of Gargoyle is also based on the latest OpenWrt beta (8.09RC2) so it can use the same packages and has the same hardware support as OpenWrt. Unfortunately, this version seem to use much more memory than previous versions, and when being used with the Linksys WRT54GL, I could easily crash the router by opening many connections at once, such as when running a bittorrent client, so I ended up buying an ASUS WL-500gP V2 to run Gargoyle with. The WL-500gP V2 has twice the flash and twice the memory of the WRT54GL, and Gargoyle is completely stable on it.

As of this writing, Gargoyle still has a number of minor bugs, but it's highly usable as it is. I'll write more about some of the other features next time.

In the screenshots below, I made a sample of the "block downloads, but allow antivirus updates" scenario I mentioned above.

Clicking on the edit button brings up a pop-up that allows further editing, in this example, .exe, .zip, and .rar are blocked by regular expressions.
However, all transfers from the avgate.net (Avira Antivir) and f-secure.com (F-Secure Antivirus) domains are allowed. This allows downloading of program files as well as antivirus definitions from those two sites.