Shorewall users - May 2005 - access deny host (ip) to access the Internet

I''m using shorewall 2.0.x at home as an Internet gateway for family.
However my brother always plays online games overnight, so my parents
asked whether I can do something on the gateway to control the time of
accessing the Internet.

I planned to put a script on crontab to schedule which it will execute
 say at 12:00 night daily, the script will execute a command will deny
my brother host ip to access the Internet and till next morning
8:00am, the script will be scheduled and run to allow my brother host
ip to access the Internet.

So, how to deny or allow a host the access the Internet ?
For incoming traffic, I know can put host,ip in
/etc/shorewall/blacklist to blacklist them, but how about outgoing
traffic ?

On Sunday 29 May 2005 03:26 pm, Adrian Mak wrote:
> So, how to deny or allow a host the access the Internet ?
> For incoming traffic, I know can put host,ip in
> /etc/shorewall/blacklist to blacklist them, but how about outgoing
> traffic ?
you want to look at the 
shorewall drop [ip] 
shorewall allow [ip]
  commands tather than putting his host in the blacklist.

But existing connections will probably persist.  
No new connections will be allowed, and chances are his
games will need to do that occasionally.
-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

On Sunday 29 May 2005 03:34 pm, John Andersen wrote:
> But existing connections will probably persist.  
> No new connections will be allowed, and chances are his
> games will need to do that occasionally.
Oh, and google the net for "cutter" if you find that connections
persist.

-- 
John Andersen - NORCOM
http://www.norcomsoftware.com/

See below.

Am 30.05.2005 01:34, John Andersen schrieb:
>On Sunday 29 May 2005 03:26 pm, Adrian Mak wrote:
>  
>
>>So, how to deny or allow a host the access the Internet ?
>>For incoming traffic, I know can put host,ip in
>>/etc/shorewall/blacklist to blacklist them, but how about outgoing
>>traffic ?
>>    
>>
>
>you want to look at the 
>shorewall drop [ip] 
>shorewall allow [ip]
>  commands tather than putting his host in the blacklist.
>  
>
You might also create a new zone, put it a policy which drops traffic 
from a special port for that zone (before the allowance policies for 
other zones), and  use shorewall add and remove commands in the cron 
script to add and remove a host to that zone.
>But existing connections will probably persist.  
>No new connections will be allowed, and chances are his
>games will need to do that occasionally.
>  
>
An even easier way is by only using cron and cutter 
(http://www.lowth.com/cutter/): From 12pm to 8am, run a cron-script 
every 5 minutes which cuts all connections from that host (or from the 
port). This way you do not need to do anything in shorewall, and your 
brother will not have much fun with his games ...

/ben

PS: Just a note: If your brother is clever enough, he might change his 
ip or the port used by the game.

/ben

Am 30.05.2005 02:14, Ben Greiner schrieb:
> See below.
>
> Am 30.05.2005 01:34, John Andersen schrieb:
>
>> On Sunday 29 May 2005 03:26 pm, Adrian Mak wrote:
>>  
>>
>>> So, how to deny or allow a host the access the Internet ?
>>> For incoming traffic, I know can put host,ip in
>>> /etc/shorewall/blacklist to blacklist them, but how about outgoing
>>> traffic ?
>>>   
>>
>>
>> you want to look at the shorewall drop [ip] shorewall allow [ip]
>>  commands tather than putting his host in the blacklist.
>>  
>>
> You might also create a new zone, put it a policy which drops traffic 
> from a special port for that zone (before the allowance policies for 
> other zones), and  use shorewall add and remove commands in the cron 
> script to add and remove a host to that zone.
>
>> But existing connections will probably persist.  No new connections 
>> will be allowed, and chances are his
>> games will need to do that occasionally.
>>  
>>
> An even easier way is by only using cron and cutter 
> (http://www.lowth.com/cutter/): From 12pm to 8am, run a cron-script 
> every 5 minutes which cuts all connections from that host (or from the 
> port). This way you do not need to do anything in shorewall, and your 
> brother will not have much fun with his games ...
>
> /ben
>
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Hi Adrian,

see below and the other posts to your question.

But I would advice a combination of 2 shorewall features:

Combine the shorewall drop(or reject) command with the maclist option 
in /etc/interfaces.

See: http://shorewall.net/MAC_Validation.html

This will bind the IP address to a MAC address. If you drop/reject it, then 
your brother can change his host''s IP address but he will be still
blocked.
The only way to bypass this access restriction would be finding an allowed 
MAC/IP combination and your brother changing both MAC and IP at the same 
time. This of course depends on how many hosts you have in this subnet 
connected via the same interface that your brother''s computer is using.

Also set the "BLACKLISTNEWONLY" option in shorewall.conf to
"NO". So the
maclist will be consulted for every packet (and not only new connections).


But IMHO: In this special case "social control (TM)" will work much
better
than every access restriction.

HTH,
Alex



On Monday 30 May 2005 02:34, Ben Greiner wrote:
> PS: Just a note: If your brother is clever enough, he might change his
> ip or the port used by the game.
>
> /ben
>
> Am 30.05.2005 02:14, Ben Greiner schrieb:
> > See below.
> >
> > Am 30.05.2005 01:34, John Andersen schrieb:
> >> On Sunday 29 May 2005 03:26 pm, Adrian Mak wrote:
> >>> So, how to deny or allow a host the access the Internet ?
> >>> For incoming traffic, I know can put host,ip in
> >>> /etc/shorewall/blacklist to blacklist them, but how about
outgoing
> >>> traffic ?
> >>
> >> you want to look at the shorewall drop [ip] shorewall allow [ip]
> >>  commands tather than putting his host in the blacklist.
> >
> > You might also create a new zone, put it a policy which drops traffic
> > from a special port for that zone (before the allowance policies for
> > other zones), and  use shorewall add and remove commands in the cron
> > script to add and remove a host to that zone.
> >
> >> But existing connections will probably persist.  No new
connections
> >> will be allowed, and chances are his
> >> games will need to do that occasionally.
> >
> > An even easier way is by only using cron and cutter
> > (http://www.lowth.com/cutter/): From 12pm to 8am, run a cron-script
> > every 5 minutes which cuts all connections from that host (or from the
> > port). This way you do not need to do anything in shorewall, and your
> > brother will not have much fun with his games ...
> >
> > /ben
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Post: Shorewall-users@lists.shorewall.net
> > Subscribe/Unsubscribe:
> > https://lists.shorewall.net/mailman/listinfo/shorewall-users
> > Support: http://www.shorewall.net/support.htm
> > FAQ: http://www.shorewall.net/FAQ.htm
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

2005/5/30, Alexander Wilms
<alex.wilms@adminguru.org>:
> Hi Adrian,
> 
> see below and the other posts to your question.
> 
> But I would advice a combination of 2 shorewall features:
> 
> Combine the shorewall drop(or reject) command with the maclist option
> in /etc/interfaces.
> 
> See: http://shorewall.net/MAC_Validation.html
> 
> This will bind the IP address to a MAC address. If you drop/reject it, then
> your brother can change his host''s IP address but he will be still
blocked.
> The only way to bypass this access restriction would be finding an allowed
> MAC/IP combination and your brother changing both MAC and IP at the same
> time. This of course depends on how many hosts you have in this subnet
> connected via the same interface that your brother''s computer is
using.
> 
> Also set the "BLACKLISTNEWONLY" option in shorewall.conf to
"NO". So the
> maclist will be consulted for every packet (and not only new connections).
> 
> But IMHO: In this special case "social control (TM)" will work
much better
> than every access restriction.
BTW, If you brother is wizard enough,He can fake the MAC Adress.
... some LART can be effective too :-)

On 5/31/05, Cristian Rodriguez <judas.iscariote@gmail.com>
wrote:
> 2005/5/30, Alexander Wilms <alex.wilms@adminguru.org>:
> > Hi Adrian,
> >
> > see below and the other posts to your question.
> >
> > But I would advice a combination of 2 shorewall features:
> >
> > Combine the shorewall drop(or reject) command with the maclist option
> > in /etc/interfaces.
> >
> > See: http://shorewall.net/MAC_Validation.html
> >
> > This will bind the IP address to a MAC address. If you drop/reject it,
then
> > your brother can change his host''s IP address but he will be
still blocked.
> > The only way to bypass this access restriction would be finding an
allowed
> > MAC/IP combination and your brother changing both MAC and IP at the
same
> > time. This of course depends on how many hosts you have in this subnet
> > connected via the same interface that your brother''s computer
is using.
> >
> > Also set the "BLACKLISTNEWONLY" option in shorewall.conf to
"NO". So the
> > maclist will be consulted for every packet (and not only new
connections).
> >
> > But IMHO: In this special case "social control (TM)" will
work much better
> > than every access restriction.
> 
> BTW, If you brother is wizard enough,He can fake the MAC Adress.
> ... some LART can be effective too :-)
using the method of mac validation mentioned by alexander, should I
put all hosts of localnet in this maclist file or just put my brother
entry ?

Since I have complie problem of cutter, I cannot use cutter at this
moment. Alexander mentioned that set the "BLACKLISTNEWONLY" option in
shorewall.conf to "NO", does it mean that when I do shorewall drop
1.2.3.4
all connections (including existing connection) to/from 1.2.3.4 will
be disconnected ?

> Since I have complie problem of cutter, I cannot use cutter at this
If you''re on RedHat/Fedora, you may try my source RPM of cutter which
builds fine on anything >= RedHat 7.x.
http://www.invoca.ch/pub/packages/cutter/

HTH,
Simon
> moment. Alexander mentioned that set the "BLACKLISTNEWONLY"
option in
> shorewall.conf to "NO", does it mean that when I do shorewall
drop
> 1.2.3.4
> all connections (including existing connection) to/from 1.2.3.4 will
> be disconnected ?
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
>

>
> using the method of mac validation mentioned by alexander, should I
> put all hosts of localnet in this maclist file or just put my brother
> entry ?
Yes, otherwise the other hosts connected via the same interface will be 
blocked by the firewall.

> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Tuesday 31 May 2005 03:15, Adrian Mak wrote:
> Since I have complie problem of cutter, I cannot use cutter at this
> moment. Alexander mentioned that set the "BLACKLISTNEWONLY"
option in
> shorewall.conf to "NO", does it mean that when I do shorewall
drop
> 1.2.3.4
> all connections (including existing connection) to/from 1.2.3.4 will
> be disconnected ?
Yes, I tested it myself with a ssh connection as example. Works pretty well. 
Your blacklist (also the dynamic one) will be consulted for every packet. On 
high load systems/huge blacklist you would be punished with a performance 
issue. Since we are talking about a home network there shouldn''t be
problems.
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users Support:
> http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

----- Original Message -----
From: "John Andersen" <jsa@norcomix.dyndns.org>
To: <shorewall-users@lists.shorewall.net>
Sent: Sunday, May 29, 2005 18:40
Subject: Re: [Shorewall-users] access deny host (ip) to access the Internet


On Sunday 29 May 2005 03:34 pm, John Andersen wrote:
> But existing connections will probably persist.
> No new connections will be allowed, and chances are his
> games will need to do that occasionally.
Oh, and google the net for "cutter" if you find that connections
persist.

--
John Andersen - NORCOM
http://www.norcomsoftware.com/
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm