Hello.
The local network in interest is 192.168.4.0/24 : http://paste.opensuse.org/75926803
The router R6300v2 runs a script to create a blacklist of non wanted URL.
That runs fine.
But I need sometimes to access some short url like http://goo.dl/xxxxxxxxxx which are banned by the router.
I can put some of these addresses in a whitelist; but I prefer not.
Is there a way to access these addresses but keeping the local network as safe as possible.
Any help is welcome.
If your router is blocking,
No configuration on your local machine is going to over-ride what happens on the router.
You either have to implement a solution on that router or bypass it.
TSU
As I said, I know what to do to authorize risky short url by making white list on the router R6300v2.
As I said, I would not do that.
I was thinking about other solutions like :
I just need to download sometimes documents safely.
Hi
Convert the short url to a real url… eg http://www.generateit.net/seo-tools/url-shortener/expand.php
I have a perl script that when I get an email or nntp message with a short url (TinyURL), I can run the script on the message (via claws-mail) to convert to the real url and update the message.
You can always deploy your machine in front of a filtering critical node, it’s just unprotected so you have to take additional or different steps to protect your machine.
TSU
I tried your tips, but return nothing with my example “goo.gl/photos” neither with “goo.gl” wich belong to google.
What I look for is a way to protect everybody on the local network behind the router R6300v2 when someone is downloading from some risky web url ( standard or short ).
When a solution is found, I will put some of these address into my router white list.
For the moment, my router block all unwanted url using its own script.
Any tips is welcome.
Proxy servers often have the ability to configure rules to allow/disallow specific URLs to specific Hosts.
That’s because by their nature they don’t filter a client/remote server connection, they terminate the network connection, then re-make a new connection to the other side and by doing so can inspect anything about a connection before applying rules to the new connection made on the other side.
TSU
So I have to put the proxy software in the router just before my local network. Is not it ?
Hi
Why not just add to the whitelist, or just use the ip address rather than resolve (one way to get around your filters 
) run nslookup or dig on goo.gl.
I consider generally that the script in my router provided a reasonable sites list to avoid.
As this script is not perfect, it gives some false positive.
For example it blacklists the site of my own bank. So, I manually manage a white-list.
I manually filled the white-list for sites that I know myself or I can reasonably believe or check their reputation.
Until now this was acceptable.
Now an example of a general case that can happens.
I have to allow download of pictures files on goo.dl site
I have no objective way to judge if this site is clean and I will not be invaded by unsolicited advertisements (spam).
For the moment, I add the address on the white-list; I restart the router; I do the download; I remove the address from the white list; I restart the router.
I am looking for a solution without human intervention (after of course having set up, at least once, each new address).
I proposed a Proxy Server only because it might provide more filtering options (eg. by client-side connection). More specifically, I’m describing a Proxy Firewall Server.
Like any other firewall, there are some you would install as software on your own hardware, and there are those that are sold as hardware appliances, and typically it should <replace> what you are now using instead of augmenting to keep things as simple as possible, avoiding scenarios where you’d have to check your rules on both (or more) machines.
TSU
At the moment I have create a script which :
I’m looking for a better solution.
On what hardware to put the proxy server software.
On the Netgear router ?
I’ll check if there is a proxy server software working with the dd-wrt firmware.
…try e.g. opnSense (opnsense.org) if you like the proxy solution.
If I want to do “risky” things, I have a dedicated machine (for simple things a raspi 3 might be enough) in a dedicated network, which I access via VNC. I don’t know if your Netgear can serve two networks. If you REALLY care for security, get rid of Netgear first hand…
If the machine+network is located somewhere else in the world, outside my LAN, I use VNC via openVPN/IPsec tunnel to reach it. 
No, I don’t know of any proxy firewall appliances sold by low-end manufacturers… despite the fact that the underlying software is actually very simple in design and easy to implement.
Netgear (and generally speaking all IP Table based filtering) are sometimes referred to as “window screen” firewalls… They only block and allow packets to pass through them. Because these common firewalls only block or allow to pass, the packet contents are not generally inspected, only the packet headers… And so also the filtering rules can only be very simple, and not modified.
Proxy firewalls like Squid, Checkpoint, Forefront, etc. don’t allow <any> packets to pass through the firewall, incoming sessions are <terminated> at the firewall. Then, if the rules allow a new session is created on behalf of the remote endpoint of the terminated session connecting to the original target.
By re-creating the new session instead of passing the original packet through the firewall, the entire packet is inspected, not just the headers… And when the new packet is created anything you wish can be re-written.
This “deep inspection” and the ability to modify the packet can be used in your case for re-directing and managing the Target destination.
If you want to try installing a proxy firewall, you might start by doing a search for what might be available on Linux(there may always be something new someone creates), install it on a cheap box with 2 NICs.
HTH,
TSU