Shorewall users - Jun 2003 - Slightly OT: Restricting internet access based on date/time

Hi All.

Due to excessive internet use by a member of the family who fails to 
moderate their recreational use of the Internet has caused me to 
investigate my options as to how to limit access from a certain PC 
outside permitted hours.

I''d like to deny this one PC (with a particular MAC address, to avoid 
static IP address assignment) access to the internet outside the 
hours of, say, 6-8PM every day and maybe different on the weekends.

Reason I say "access to the Internet" and not "access to web
sites"
is because I''d like to block ALL access. AIM is a great time waster 
for kids.

Does anyone know how I could achieve this? I''m using Shorewall. One 
thought I had in mind was a cron script. I thought I could just have 
individual rules for each PC in the LAN (rather than an allow ALL 
from local to net policy) for full outbound access and put a "#" in 
front of the PC in question outside permitted hours (using perlre), 
then restart Shorewall.

Thanks in advance.

Regards,
Gonzalo.

On Tue, 03 Jun 2003 21:57:51 +1000, Gonzalo Servat <gs@webtastic.com.au> 
wrote:
> Due to excessive internet use by a member of the family who fails to 
> moderate their recreational use of the Internet has caused me to 
> investigate my options as to how to limit access from a certain PC 
> outside permitted hours.
>
Gonzalo -- You might check the list archives. I recall someone describing 
what they were doing to solve this problem.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Easiest way would just be to block port 80 for that IP address, or if
you are running Squid you could block it at the proxy.

Also block the port AIM uses...

-=> -----Original Message-----
-=> From: shorewall-users-bounces@lists.shorewall.net 
-=> [mailto:shorewall-users-bounces@lists.shorewall.net] On 
-=> Behalf Of Gonzalo Servat
-=> Sent: Tuesday, 3 June 2003 21:58
-=> To: shorewall-users@lists.shorewall.net
-=> Subject: [Shorewall-users] Slightly OT: Restricting 
-=> internet access based ondate/time
-=> 
-=> 
-=> Hi All.
-=> 
-=> Due to excessive internet use by a member of the family who 
-=> fails to 
-=> moderate their recreational use of the Internet has caused me to 
-=> investigate my options as to how to limit access from a certain PC 
-=> outside permitted hours.
-=> 
-=> I''d like to deny this one PC (with a particular MAC 
-=> address, to avoid 
-=> static IP address assignment) access to the internet outside the 
-=> hours of, say, 6-8PM every day and maybe different on the weekends.
-=> 
-=> Reason I say "access to the Internet" and not "access to
web sites"
-=> is because I''d like to block ALL access. AIM is a great time
waster
-=> for kids.
-=> 
-=> Does anyone know how I could achieve this? I''m using Shorewall.
One
-=> thought I had in mind was a cron script. I thought I could 
-=> just have 
-=> individual rules for each PC in the LAN (rather than an allow ALL 
-=> from local to net policy) for full outbound access and put a
"#" in
-=> front of the PC in question outside permitted hours (using perlre), 
-=> then restart Shorewall.
-=> 
-=> Thanks in advance.
-=> 
-=> Regards,
-=> Gonzalo.
-=> _______________________________________________
-=> Shorewall-users mailing list
-=> Post: Shorewall-users@lists.shorewall.net
-=> Subscribe/Unsubscribe: 
-=> -=> http://lists.shorewall.net/mailman/listinfo/shor-=> ewall-users
-=> 
-=> 
-=> Support: http://www.shorewall.net/support.htm
-=> 
-=> FAQ: http://www.shorewall.net/FAQ.htm
-=>

A couple of suggestions:

a) it may be simpler/less disruptive to manipulate the rule using
iptables directly, rather than restarting shorewall. I just did a quick
experiment with /etc/shorewall/maclist to block 12:34:56:78:9a:bc on
eth2, and Shorewall generated a iptables chain called
''eth2_mac'' which
to contain a rule to block that mac address. So in your cron scripts you
could just use ''--insert'' and ''--delete''
options with iptables to
insert/remove a single rule for a particular mac address on that chain.
One command, minimal system disturbance.

b) it would be worth installing arpwatch, so you will be emailed if new
mac addresses appear on your network ;-)

Other thoughts might be to rate-limit traffic down to a crawl, rather
than block it completely (or perhaps during a transition period between
''on'' and ''off''). Another thought is to use
samba''s ''winpopup'' support to
warn that access is about to be removed (see smbclient -M). Or that
he/she has been caught trying to use the internet during the blackout
period :-)

As far as static IP assignments go, it''s pretty easy to tell dhcp to
always serve the same IP address to a dhcp client with a given mac
address. Add something like:

  host errant-child     { fixed-address 192.168.1.99;  hardware ethernet
12:34:56:78:9a:bc; }

to your dhcpd.conf file. I do this for a handful of devices on my
network like printers, etc. so I can leave them set up for dhcp, but
they effectively have a static IP address (so I can give them names in
DNS).

This might not be such a great idea in your case, since he/she could
just change IP configurations and statically assign themselves a
different IP address (though arpwatch would tell you about that too...)

Paul
> -----Original Message-----
> From: Gonzalo Servat
> Sent: Tuesday, June 03, 2003 4:58 AM
>
--<snip>--
> I''d like to deny this one PC (with a particular MAC address, to
avoid
> static IP address assignment) access to the internet outside the 
> hours of, say, 6-8PM every day and maybe different on the weekends.
--<snip>--
> Does anyone know how I could achieve this? I''m using Shorewall.
One
> thought I had in mind was a cron script. I thought I could just have 
> individual rules for each PC in the LAN (rather than an allow ALL 
> from local to net policy) for full outbound access and put a "#"
in
> front of the PC in question outside permitted hours (using perlre), 
> then restart Shorewall.
>

On 3/06/2003 8:15 AM -0700 Paul Chambers wrote:
> A couple of suggestions:
>
> a) it may be simpler/less disruptive to manipulate the rule using
> iptables directly, rather than restarting shorewall. I just did a
> quick experiment with /etc/shorewall/maclist to block
> 12:34:56:78:9a:bc on eth2, and Shorewall generated a iptables chain
> called ''eth2_mac'' which to contain a rule to block that
mac
> address. So in your cron scripts you could just use
''--insert'' and
> ''--delete'' options with iptables to insert/remove a
single rule for
> a particular mac address on that chain. One command, minimal system
> disturbance.
[..snip..]

Thanks Paul for your advice.

I decided to go with option a). As I add "maclist" to my eth0 zone in 
/etc/shorewall/interfaces, I restarted shorewall and it said 
interface eth0 must be up before starting shorewall. You can clearly 
see the interface IS up. Any ideas? Running Shorewall version 1.3.12

Regards,
Gonzalo.

On Wed, 04 Jun 2003 20:36:14 +1000, Gonzalo Servat <gs@webtastic.com.au> 
wrote:

>
> I decided to go with option a). As I add "maclist" to my eth0
zone in
> /etc/shorewall/interfaces, I restarted shorewall and it said interface 
> eth0 must be up before starting shorewall. You can clearly see the 
> interface IS up. Any ideas? Running Shorewall version 1.3.12
>
See http://www.shorewall.net/troubleshoot.htm under the heading "If the 
firewall fails to start".

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Wed, 04 Jun 2003 07:00:13 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:

>
> See http://www.shorewall.net/troubleshoot.htm under the heading "If
the
> firewall fails to start".
>
Make that http://www.shorewall.net/1.3/troubleshoot.htm

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net