Shorewall users - Mar 2005 - Help with blocking internet traffic at certain times

Hello all:

 

I''ve been using Shorewall for quite a while at my office and
it''s been
great!  Thanks for the work!

 

I''ve just set up a firewall at home to keep my teenagers under control
(shorewall, squid and dansguardian).  I''ve also set up a cron job that
switches my shorewall rules between a day and a night configuration.  The
night configuration blocks all traffic from my children''s systems - or
so I
thought.

 

The problem I have is they keep AOL, Limewire, etc. running all of the time.
When I switch to my night rules, they can''t browse anymore, but their
AOL
and other software stays up. 

 

I''d like to find a way to completely block AOL under those rules.  Is
there
any way to tell shorewall to block a connection that''s already active?

 

TIA

 

   Eric Raskin

 

----------------------------------------------------------------------------

Eric H. Raskin                                          Voice: 914-765-0500

Professional Advertising Systems Inc.                   Fax:   914-765-0503

200 Business Park Dr Suite 107                          eraskin@paslists.com

Armonk, NY 10504

Eric Raskin wrote:
>  
> 
> I''d like to find a way to completely block AOL under those rules. 
Is there
> any way to tell shorewall to block a connection that''s already
active?
> 
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks.  Does anyone have any suggestions on other software I might try to
help with this?

----------------------------------------------------------------------------
Eric H. Raskin                                          Voice: 914-765-0500
Professional Advertising Systems Inc.                   Fax:   914-765-0503
200 Business Park Dr Suite 107                          eraskin@paslists.com
Armonk, NY 10504


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Monday, March 07, 2005 10:05 AM
To: eraskin@paslists.com; Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Help with blocking internet traffic at
certain times

Eric Raskin wrote:
>  
> 
> I''d like to find a way to completely block AOL under those rules. 
Is
there
> any way to tell shorewall to block a connection that''s already
active?
> 
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Eric Raskin wrote:
>
>>
>>
>> I''d like to find a way to completely block AOL under those
rules.  Is
>> there
>> any way to tell shorewall to block a connection that''s already
active?
>>
>
> No.
>
> -Tom
You maybe able to do it by resetting the ethernet port the kids machines
are on at the same time you change rule sets,
sorta
shorewall stop
ifconfig eth0 down
load new rule set
ifconfig up
shorewall start


or if you have really clever kids

change the gateway address their machines use

just a thought


Richard

Interesting...  They are running XP machines.  I guess I could create CMD
files that change their interfaces and run them as "AT" jobs.  I
haven''t
done that kind of stuff in a long time...

To use your suggestion for the stop/start on the firewall, I would need a
separate ethernet card configured for the "kid''s subnet".  As
I''m set up
now, your solution would shut down my wife''s connections too (as well
as my
own)!   This is not a recommended solution if you want to stay married! :-)

However, it is a start.  Thanks for the suggestion.

----------------------------------------------------------------------------
Eric H. Raskin                                          Voice: 914-765-0500
Professional Advertising Systems Inc.                   Fax:   914-765-0503
200 Business Park Dr Suite 107                          eraskin@paslists.com
Armonk, NY 10504


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
richard.bown@blueyonder.co.uk
Sent: Monday, March 07, 2005 10:15 AM
To: Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Help with blocking internet traffic at
certain times
> Eric Raskin wrote:
>
>>
>>
>> I''d like to find a way to completely block AOL under those
rules.  Is
>> there
>> any way to tell shorewall to block a connection that''s already
active?
>>
>
> No.
>
> -Tom
You maybe able to do it by resetting the ethernet port the kids machines
are on at the same time you change rule sets,
sorta
shorewall stop
ifconfig eth0 down
load new rule set
ifconfig up
shorewall start


or if you have really clever kids

change the gateway address their machines use

just a thought


Richard

_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

Eric Raskin wrote:
> Thanks.  Does anyone have any suggestions on other software I might try to
> help with this?
> 
stop shorewall
rmmod ip_conntrack [1]
start shorewall

[1] -- because you must first unload modules that are dependent on
ip_conntrack, you will have to create a script that unloads them all in
the correct order.

Alternatively

restart shorewall
use the ''cutter'' utility to kill all connections from your
kids'' computers.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Cutter seems like exactly what I need.

Thanks to everyone for their help.

----------------------------------------------------------------------------
Eric H. Raskin                                          Voice: 914-765-0500
Professional Advertising Systems Inc.                   Fax:   914-765-0503
200 Business Park Dr Suite 107                          eraskin@paslists.com
Armonk, NY 10504


-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net] 
Sent: Monday, March 07, 2005 10:21 AM
To: eraskin@paslists.com; Mailing List for Shorewall Users
Subject: Re: [Shorewall-users] Help with blocking internet traffic at
certain times

Eric Raskin wrote:
> Thanks.  Does anyone have any suggestions on other software I might try to
> help with this?
> 
stop shorewall
rmmod ip_conntrack [1]
start shorewall

[1] -- because you must first unload modules that are dependent on
ip_conntrack, you will have to create a script that unloads them all in
the correct order.

Alternatively

restart shorewall
use the ''cutter'' utility to kill all connections from your
kids'' computers.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

> Interesting...  They are running XP machines.  I guess I could create CMD
> files that change their interfaces and run them as "AT" jobs.  I
haven''t
> done that kind of stuff in a long time...
>
> To use your suggestion for the stop/start on the firewall, I would need a
> separate ethernet card configured for the "kid''s
subnet".  As I''m set up
> now, your solution would shut down my wife''s connections too (as
well as
> my
> own)!   This is not a recommended solution if you want to stay married!
> :-)
>
> However, it is a start.  Thanks for the suggestion.
>
No probs

how about altering the subnet mask on the interface, if you set your
address and the wifes machine to use an address below say x.x.x.15 and
give the kids something above that , you could change you netmask from say
255.255.255.0 to 255.255.255.240.
You wont need to stop the firewall while you do that either, you could do
it from cron

HTH

Richard
>
----------------------------------------------------------------------------
> Eric H. Raskin                                          Voice:
> 914-765-0500
> Professional Advertising Systems Inc.                   Fax:
> 914-765-0503
> 200 Business Park Dr Suite 107
> eraskin@paslists.com
> Armonk, NY 10504
>
>
> -----Original Message-----
> From: shorewall-users-bounces@lists.shorewall.net
> [mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
> richard.bown@blueyonder.co.uk
> Sent: Monday, March 07, 2005 10:15 AM
> To: Mailing List for Shorewall Users
> Subject: Re: [Shorewall-users] Help with blocking internet traffic at
> certain times
>
>> Eric Raskin wrote:
>>
>>>
>>>
>>> I''d like to find a way to completely block AOL under those
rules.  Is
>>> there
>>> any way to tell shorewall to block a connection that''s
already active?
>>>
>>
>> No.
>>
>> -Tom
>
> You maybe able to do it by resetting the ethernet port the kids machines
> are on at the same time you change rule sets,
> sorta
> shorewall stop
> ifconfig eth0 down
> load new rule set
> ifconfig up
> shorewall start
>
>
> or if you have really clever kids
>
> change the gateway address their machines use
>
> just a thought
>
>
> Richard
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>