I''m currently using Shorewall 3.4.1 to manage a firewall for my LAN at
home. It works very well, and I''m definitely pleased, but . . . .
I now have a situation where I need to enforce access restrictions on
a specific computer during specific times of day -- e.g., a particular
computer might have no Internet access at all between 10 PM and 6 AM.
Is there any way to do such a thing using Shorewall? If not, can anyone
suggest another tool I could try using on my firewall to do this?
I know I could use something like SquidGuard to limit web browsing from
specific systems during specific time ranges, but I need to limit other
forms of access too (e.g., IM chatting).
--
Rich Wales === Palo Alto, CA, USA === richw@richw.org
http://www.richw.org === http://en.wikipedia.org/wiki/User:Richwales
"The difference between theory and practice is that, in theory,
theory and practice are identical -- whereas in practice, they
aren''t."
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
Roberto C. Sánchez
2007-Jul-11 18:19 UTC
Re: Restricting access by time of day in Shorewall?
On Wed, Jul 11, 2007 at 11:14:34AM -0700, Rich Wales wrote:> I''m currently using Shorewall 3.4.1 to manage a firewall for my LAN at > home. It works very well, and I''m definitely pleased, but . . . . > > I now have a situation where I need to enforce access restrictions on > a specific computer during specific times of day -- e.g., a particular > computer might have no Internet access at all between 10 PM and 6 AM. > > Is there any way to do such a thing using Shorewall? If not, can anyone > suggest another tool I could try using on my firewall to do this? >Use cron to add a rule for the machine(s) you want to block at the start time and then unblick them at the end time. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Rich Wales wrote:> I''m currently using Shorewall 3.4.1 to manage a firewall for my LAN at > home. It works very well, and I''m definitely pleased, but . . . . > > I now have a situation where I need to enforce access restrictions on > a specific computer during specific times of day -- e.g., a particular > computer might have no Internet access at all between 10 PM and 6 AM. > > Is there any way to do such a thing using Shorewall? If not, can anyone > suggest another tool I could try using on my firewall to do this? > > I know I could use something like SquidGuard to limit web browsing from > specific systems during specific time ranges, but I need to limit other > forms of access too (e.g., IM chatting). >Run cron jobs that do this at 10 PM: shorewall reject <ip address> and do this at 6 AM shorewall allow <ip address> You''ll want BLACKLISTNEWONLY=No in shorewall.conf Other people do this with two shorewall configurations, one for day and one for night. Then, at 10PM: shorewall restart /etc/shorewall.night And at 6AM shorewall restart /etc/shorewall.day The .day and .night directories only need to contain the config files that are different between day and night (probably just the rules file). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep wrote:> Rich Wales wrote: >> I''m currently using Shorewall 3.4.1 to manage a firewall for my LAN at >> home. It works very well, and I''m definitely pleased, but . . . . >> >> I now have a situation where I need to enforce access restrictions on >> a specific computer during specific times of day -- e.g., a particular >> computer might have no Internet access at all between 10 PM and 6 AM. >> >> Is there any way to do such a thing using Shorewall? If not, can anyone >> suggest another tool I could try using on my firewall to do this? >> >> I know I could use something like SquidGuard to limit web browsing from >> specific systems during specific time ranges, but I need to limit other >> forms of access too (e.g., IM chatting). >> > > Run cron jobs that do this at 10 PM: > > shorewall reject <ip address> > > and do this at 6 AM > > shorewall allow <ip address> > > You''ll want BLACKLISTNEWONLY=No in shorewall.conf > > Other people do this with two shorewall configurations, one for day and one > for night. Then, at 10PM: > > shorewall restart /etc/shorewall.night > > And at 6AM > > shorewall restart /etc/shorewall.day > > The .day and .night directories only need to contain the config files that > are different between day and night (probably just the rules file).And if you are worried about maintaining two copies of common rules, then put the common rules in /etc/shorewall/rules.common and then have /etc/shorewall.day/rules: INCLUDE rules.common /etc/shorewall.night/rules: REJECT loc:<ip addr>[,...] net INCLUDE rules.common -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/