Reset button

Opayq · May 24, 2024, 1:00pm

Is there any way to disable reset button without login? I afraid parental control can be easily erased using this feature…

admon · May 24, 2024, 1:36pm

Parental control is not worth the paper it is written on anyway, based on its implementation. There are almost unlimited ways to get around it.

Any child (and teenager even more so!) with access to a search engine will have cracked the thing in a matter of minutes.

In the end, it's just a router, not a full firewall with dedicated features.

hecatae · May 24, 2024, 1:41pm

@admon
does that include the new Bark parental controls included in the B3000?

admon · May 24, 2024, 1:55pm

I would spontaneously say: Yes.

My test device is still on its way, then I'll take a closer look. Although Bark claims on their website that they also read and analyze traffic, among other things, I can't really imagine that the OpenWrt version of Bark does the same.

I would have to take a closer look.

But let's be honest: parental control is only a poor substitute for education and trust. I'd be afraid that as a parent, I'd be fooled into thinking it was a safe online experience for my child while they found a way around it.

Good parental control should be on the same level as enterprise corporate IT:

Say ...

monitoring of internet traffic
revocation of admin privileges
complete control over the end device

Most solutions are already overwhelmed with 1.

Opayq · May 24, 2024, 1:57pm

I set up separate router with whitelist only. So there will be hard to bypass, probably…

admon · May 24, 2024, 1:59pm

Whitelist for what? DNS?
So they can just use another DNS server. Or they use an Apple device with Cloud+ - which will route all DNS traffic to Apple servers instead of your DNS server; so it won't work by design.

The only true way would be using whitelisting based on IP; and that is something nobody can handle.

Opayq · May 24, 2024, 2:01pm

Banned too

That what I did. I allowed only Telegram, Signal and Wikipedia

admon · May 24, 2024, 2:04pm

I don't want to offend you, but I can't really imagine that you have only unblocked the IPs of these services.

Telegram in particular is a very good example: this service even works in countries like Iran, where it has actually been blocked.

You would also block all updates and other services that are required for some devices. Without knowing the exact configuration, I can't say much - but I would doubt that you have really set up IP-based blocks.

hecatae · May 24, 2024, 2:08pm

you could physically remove the button?

Opayq · May 24, 2024, 2:14pm

This is only example. For others same config (this unblock telegram):

iptables -P INPUT DROP
iptables -A OUTPUT -d 149.154.160.0/22 -j ACCEPT
iptables -A OUTPUT -d 149.154.164.0/22 -j ACCEPT
iptables -A OUTPUT -d 91.108.4.0/22 -j ACCEPT
iptables -A OUTPUT -d 91.108.56.0/22 -j ACCEPT
iptables -A OUTPUT -d 91.108.8.0/22 -j ACCEPT
iptables -A OUTPUT -d 95.161.64.0/20 -j ACCEPT
iptables -P OUTPUT DROP

admon · May 24, 2024, 2:18pm

Ok, wow, that's a pretty harsh way of blocking
Did not think that you do it like this - because in my opinion, this is the most secure one, but the one with most troubleshooting issues as well. Wouldn't be my choice of parental control, tbh.

Opayq · May 24, 2024, 2:21pm

Otherwise it can be bypassed by Tor, VPN, DOH…

So how to prevent resetting this?

admon · May 24, 2024, 2:24pm

Not sure if it's a good idea, but doing this should disable the button:
rm /etc/rc.button/reset

Opayq · May 24, 2024, 2:26pm

Why?

Maybe copy it with cp for case if will be needed? Or no?

admon · May 24, 2024, 2:26pm

Because I don't know what, it might break or not. It's the sledgehammer method.

Not needed, all original files are located in /rom

Please be aware that there is a method of resetting the device you can't disable: