54. About Content Filtering and Opening Ports
Because the WiFi router sits between the home network or workgroup and the high-speed Internet connection, the router can be configured to control access to web content. This means that certain content can be blocked at the router, denying access to a particular computer in the workgroup or denying that access to all the computers in the workgroup. Most WiFi routers can also be configured to deny access to Internet services such as file transfer, gaming, and instant messaging.
The ability to block web content and Internet services such as email or instant messaging provides you with two ways to control the access that your users have to the different Internet communication venues (such as the Web). When you block web content, the content is blocked for all computers on your WiFi network. However, you can enter the IP address of one computer (known as the "trusted" computer) in the router's web content blocking configuration, which will allow that computer to still access the content. When you deny or block services on the network, you can specify that one or several computers are exempt from the blocking of a service or services. So, in terms of allowing exceptions, you are provided more flexibility when you block services rather than web content.
Not only can you block access to web content and Internet services, you can also design a schedule that dictates when the content or services are actually blocked. In a nutshell, these web-filtering and service-blocking features on the WiFi router allow you to choose what you want to block in terms of Internet content and services and when you want to block it.
It's important to understand the difference between the Internet and the various communication venues such as the World Wide Web and instant messaging services that operate on the Internet. The Internet is the actual infrastructure or highway that allows us to take advantage of different Internet protocols or strategies for communication on the Internet infrastructure. A service such as the Web or instant messaging is a communication strategy that runs on the Internet infrastructure. The Web is just one of the several communication strategies that can access data provided by web servers also connected to the Internet. Another example of a communication service that uses the Internet infrastructure is instant messaging, which is available from a number of different "service" providers such as Microsoft (MSN Messenger), Yahoo! (Yahoo Instant Messaging), and AOL (AIM or AOL Instant Messenger).
So, how is it that the router can actually block a user from accessing certain websites? It's because of how the Web and the Internet work. For example, the World Wide Web or "Web" is a client/server environment. Content is requested by users connected to the Internet using their web browsers (the client) and then "served up" by web servers (the server). Remember that the World Wide Web is just one service that uses the Internet infrastructure for communication.
It is the communication between the web client and the web server software that allows you to surf the Web and view the content. Because the requests from the client software (a user's web browser such as Internet Explorer) must go through the router to get to the Internet and the web servers waiting out on the Internet for content requests, the router can examine the request made by the client. If the client request asks for content that the router has been configured to block, the router does not forward the request to the Web. This means that the request for the content is blocked. Let's take a look at the specifics of how web content is blocked by the WiFi router, and then we can take a look at how you block Internet services such as gaming or instant messaging.
When you configure the router to block web content, you are actually blocking websites based on keywords or specific website names (meaning the domain name or URLuniform resource locatorfor the site). In other words, to actually block the content from websites, you have to create a list of keywords and actual domain names.
The keyword list is used by the router as a reference; when a user on the network requests a website using a web browser, the router looks at the keyword list and compares it to the website name that is requested. If a keyword or domain name in the list matches the website name (domain name) being requested, the website is blocked.
Obviously, blocking websites by website name is fairly straightforward. For example, adding the URL www.pornographic.com to the keyword and site list on the router will block this specific site. Putting together a keyword list that will block sites is another matter and requires some thought.
For example, let's say you enter the word violence in the keyword list. Now all websites with the word violence in the website name will be blocked. However, this arrangement would also block a website named www.stop-violence.org. So, you can see that devising a keyword list that blocks the bad sites but lets the good sites in is somewhat problematic.
In terms of thinking through a keyword list for blocking certain types of websites, such as pornographic websites, your keyword list must reflect the type of language used in the website names. This means that your keyword list is going to include a lot of words that you certainly wouldn't use in public (and in most cases, even in private).
Whether you use your router to filter and block web content is really up to you. As the author of this book, I am certainly not advocating that you should block content; you have to decide this for yourself and the users of your network. In terms of web and Internet content, there is the issue of "free speech"; censoring content can be a slippery slope once we start down that path. Although there is a great deal of questionable and absolutely tasteless content on the World Wide Web, I believe the Internet is ultimately a good thing and probably should not be regulated by anyone, including governments. You have to decide for yourself how you are going to run your own home network, and this decision includes the concepts of filtering and blocking content (which some people would call censorship) as you see fit.
Obviously, any keyword list you devise will have to be edited over time because you don't want a keyword in the list that blocks "good" sites. Most WiFi routers provide a log feature that allows you to view the websites that have been "allowed" and "denied" by your keyword and URL list for blocking content. Viewing the log over time to see what is being blocked and what is being allowed gives you the opportunity to edit the keyword list so that the content-blocking filter does a better job at blocking only the content you don't want users on your network to view.
One more thing related to blocking content: When you block content, you are blocking the content for all the computers on the network. You cannot block content on a computer-by-computer basis. However, the WiFi router can be configured so that a single computer on the network can be exempt from the content blocking and filtering. This computer is referred to as the trusted computer in the block web content configuration settings for a Netgear router (your router's configuration might refer to the computer as exempt or use some other term). Trusted computer simply means that it can access the content that is blocked on other computers on the network by the router.
In terms of selecting the computer that will be trusted on the network, it makes sense to configure the router so that it doesn't block content for your computer. Typically, on a home network, you are blocking content on computers being used by your children because you want to exert parental controls over what they can see and do on the Web. This trusted or exempt computer is identified in the router's configuration settings (the block content settings) by entering the computer's IP address.
Trusted computer A computer that is specified in the router's configuration settings as being exempt from the blocking of web content.
Setting up a trusted computer on the network works well if everyone using the network has their own computer. If you share a computer with someone (such as a child) who should not have access to certain websites, however, you might have to use the router's scheduling feature to block content during certain times of the day.
Using the WiFi router to block Internet services is a little more complicated than blocking content, but only because you have to understand how different services such as email, instant messaging, and the Web actually communicate and move information on the Internet.
We have already discussed the TCP/IP protocol and IP addressing in About Configuring PCs for Networking. The TCP/IP protocol is actually a group or "stack" of smaller protocols used to manage the different aspects of the communication between computers on a network. The IP or Internet Protocol takes care of the IP addressing scheme that we use on the network. Each computer is assigned a unique IP address, by which each computer is identified on the network when sending or receiving data.
The TCP/IP protocol stack provides two protocols that actually negotiate and manage the movement of data between computers; these protocols are the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). Internet services or applications use either TCP or UDP or both to control the movement of data between a client such as your instant messenger or web client (your web browser) and the Internet server that supplies the type of service you are trying to take advantage of.
For example, when two computer users are "chatting" with each other using instant messaging (using a client such as AOL Instant MessengerAIM), the data (the chat) goes from the instant messaging client to a messaging server. The data is then forwarded from the messaging server to the intended recipient (by way of their instant messaging client). The data being sent and received by the instant messaging client (using the messaging server) is actually moved on the Internet by the TCP protocol. Not only does TCP/IP supply the transport protocol, in this case TCP (some other software uses UDP instead of TCP) moves the data. To move the data, each application (such as the instant messaging software, or the Web, or your email client) negotiates the transfer of data from computer to computer using a discrete channel, which is called a port. For example, the port all computers use for the Web (really for the HTTP protocol that makes the Web work) is port 80. The port number used for AOL instant messaging is 5190. The port number for Real Audio (the Real player) is actually a range of ports from 6970 to 7170.
Ports used by devices to communicate on an IP network don't physically exist. They are designations in software code that direct applications to communicate on a particular port when data is being sent or received.
Port A numbered communication channel or end point used by an Internet application as the avenue or doorway for negotiating data transfers between two computers.
To review, each Internet application uses a transport protocol (TCP, UDP, or in some cases, both), and the data transfer negotiation takes place over a port. The actual list of ports available is maintained by the Internet Engineering Task Force. Port numbers can range from 0 to 65536. The ports from 1 to 1024 are reserved for certain Internet services such as the Web (HTTP) and email (POP3 and SMTP protocols) and are referred to as the well-known ports. Software developers creating a new program for the Internet select a port from the list (a port that is not being used by any other Internet program) so that the software can communicate on the Internet.
The Internet Engineering Task Force defined the use of port numbers for Internet data traffic. The Internet Assigned Numbers Authority (IANA), another Internet oversight agency, maintains a list of the well-known port numbers (1 to 1024) and the application/service that uses each of the well-known ports. Port numbers 1024 to 65536 are in the range of port numbers made available to software developers when they create a new Internet service or program. Many port numbers in the 1024 to 65536 range have been leased by various software developers and companies. To view a list of the well-known ports and the port numbers from 1024 to 65536 that are assigned (leased) to a particular application/service, see http://www.iana.org/assignments/port.
To block an Internet service using your WiFi router, you select a particular service such as instant messaging or the Web (HTTP) from a list of services provided in your router's configuration. The number of services listed depends on the router (and the router's manufacturer). When you select a service from the list, the transport protocol and the port for the application are configured automatically (because the router software has been programmed to know this information for the services included in the router's service list).
If you want to block a service that isn't listed in the router's service list, most WiFi routers allow you to configure a "user defined" service. To configure a service from scratch (meaning user defined), you need to know the transport protocol for the application (TCP, UDP, or both) and the port number or the range of port numbers the service uses.
You can look up the transport protocol (TCP or UDP) and the port number for many Internet services using the list provided at http://www.iana.org/assignments/port-numbers. You can scroll through the list or use the Find feature of your web browser to do a search for a particular company or application name. In cases where the IANA list does not provide you with the information you need, you might be able to get the information from the software developer's website or the website of the company that sells the product.
For example, there is a three-dimensional, collaborative software platform for the Internet (and the Web) called Muse. Muse is still being developed, so it is hard to tell what Muse will have to offer, but let's pretend that for some reason we want to block the Muse application/service for all the computers on our network using our WiFi router. To block a service, you need to know the transport protocol and the port number. If you look at the IANA list at http://www.iana.org/assignments/port-numbers, you will find that Muse uses both TCP and UDP protocols on port 6888. So you can configure your router to block Muse by configuring the block service feature to block service traffic using TCP and UDP on port 6888.
I picked Muse as an example of an application/service that was listed on the IANA list. I am not saying that Muse should be blocked. In fact, Muse looks quite interesting; read more about it at http://www.musecorp.com/.
As you can when blocking content, you can block services at a particular time of day using the scheduling feature provided by your WiFi router. You can block a service for all the computers on the network or you can specify the IP addresses of those computers for which you want the service blocked.
Go to the IANA website if you need to know the transport protocol and port number used by a service you want to block using the WiFi router.
Gaming Issues and Workgroup Access
The WiFi router is designed to keep the internal network (your workgroup) secure from outside intrusion. We discuss the security features the router offers in About Basic Network Security and About Firewalls. But on some occasions, you want to allow users outside your private network to access services provided by your private network. For example, let's say you have web server software running on a computer and want users on the Internet to be able to view your web page. Allowing access to internal network services can also be particularly useful (and necessary) in multiplayer gaming situations where you want other gamers to be able to access your computer in a peer-to-peer gaming situation.
So, you want to allow outside access to your network, but you certainly don't want to open up your private internal network to outside threats. Your WiFi router can allow and control access to a resource on your network (such as a web server) using port forwarding. Port forwarding opens a port on the router, and the router forwards outside requests for a particular "inside" service such as a web server or file server (an FTP server) using that port. Port forwarding makes the computer on your network that is offering the service (the computer with the web server software on it) visible to computers outside the network (meaning computers on the Internet) so that those users can access your internal service and content.
Port forwarding A method of opening ports on the WiFi router that allows outside requests for services to reach computers on the internal network supplying those services such as a web server. When you use port forwarding, your internal IP address (related to the server providing the service) can be tracked by servers on the Internet, which can be a security concern.
If you are into multiplayer gaming and want to play games such as Quake or Starcraft over your network, you must configure port triggering. Port triggering opens a port temporarily and also doesn't require that your internal IP address be tracked by servers on the Internet. Port triggering doesn't create a wide-open port like port forwarding does (port triggering opens and closes the port as needed) and also keeps your internal IP address private. But port triggering does allow other computers to access the service and connect to your computer, which is necessary for multiplayer gaming.
Port triggering A way to temporarily open a port on the WiFi router when an external request for that port is received by the router. Port triggering does not leave ports open (as port forwarding does) and does not allow the IP address of the internal computer supplying the service to be known. Port triggering is used to configure computers for services such as online gaming.