What is the best way to lock down a specific internal IP address, and specifically run updates via a cron job. I''m looking to limit my kids machines access to the internet to only specific times of the day, and would like to do that via cron so we''re not constantly messing with it. Their two machines are always the same IP addresses. (192.168.1.50 and 192.168.1.51) My Linux box is running Ubuntu and functions as gateway/dhcp/firewall/content filter. I''m running Shorewall 3.2.6. Thanks in advance, jdk ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
JD Kitch wrote:>What is the best way to lock down a specific internal IP address, >and specifically run updates via a cron job. I''m looking to limit >my kids machines access to the internet to only specific times of >the day, and would like to do that via cron so we''re not constantly >messing with it. Their two machines are always the same IP >addresses. ( <http://192.168.1.50>192.168.1.50 and ><http://192.168.1.51>192.168.1.51) My Linux box is running Ubuntu >and functions as gateway/dhcp/firewall/content filter. I''m running >Shorewall 3.2.6.It''s not really that Shorewall specific ... Firstly, although you can configure DHCP to give certain IPs to certain machines, it doesn''t prevent a user setting their network settings - so you will probably want to filter by mac address/ip so that if they change their settings their machines don''t get an internet connection. After that, I suggest having either two rules files or two params files, symlink Shorewall''s file to the one required, and restart Shorewall. eg : ln -sf /etc/shorewall/rules.day /etc/shorewall/rules shorewall -q restart or you could make the file a parameter : ln -sf /etc/shorewall/rules.$1 /etc/shorewall/rules shorewall -q restart and in crontab call it thus : ....... /usr/local/bin/shorewall-mode day ....... /usr/local/bin/shorewall-mode night Don''t forget that you don''t need to duplicate everything in the rules file, you can have just the variable rules in the mode specific files and INCLUDE a common rules files for everything else. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, Aug 16, 2007 at 07:49:25AM +0100, Simon Hobson wrote:> Firstly, although you can configure DHCP to give certain IPs to > certain machines, it doesn''t prevent a user setting their network > settings - so you will probably want to filter by mac address/ip so > that if they change their settings their machines don''t get an > internet connection.That''s not appreciably secure, though. A better solution may be to force all web access to go through squid and use proxy authentication combined with squid''s time-based acls. However it should be noted that pitting your ingenuity against their youthful curiosity is a doomed endeavour. If it is necessary for you to resort to technical means to try to enforce this, they''ll find a way around it, sooner or later. ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Thu, Aug 16, 2007 at 10:56:35AM +0100, Andrew Suffield wrote:> However it should be noted that pitting your ingenuity against their > youthful curiosity is a doomed endeavour. If it is necessary for you > to resort to technical means to try to enforce this, they''ll find a > way around it, sooner or later.But both sides will learn quite a bit about computers and networking in the process, and that has to be a positive benefit, right? I use shorewall reject on the IP address to achieve this, set as a cron job. I couple that with cutter on the IP address, and then run a shoreqwall allow in the morning. I have further tricks in mind, but actually want to see them circumvent this measure before I implement new ones. K -- In Vino Veritas http://astroturfgarden.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Easyest way is to use the dynamic blacklist. In your cron - to block teir access: /sbin/shorewall drop <IP> And to enable their INternet access: /sbin/shorewall allow <IP> it''s how I do it here... Cheers Joerg -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Perfect! Simple is good! :P Tested this with the exact results I was looking for. Thanks! jdk On 8/16/07, Joerg Mertin <smurphy@solsys.org> wrote:> > Easyest way is to use the dynamic blacklist. > In your cron - to block teir access: > > /sbin/shorewall drop <IP> > > And to enable their INternet access: > /sbin/shorewall allow <IP> > > it''s how I do it here... > > Cheers > Joerg > > > -- > ------------------------------------------------------------------------ > | Joerg Mertin : smurphy@solsys.org (Home)| > | in Forchheim/Germany : smurphy@linux.de (Alt1)| > | Stardust''s LiNUX System : | > | Web: http://www.solsys.org | > ------------------------------------------------------------------------ > PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
>> ... If it is necessary for you to resort to >> technical means to try to enforce this, they''ll >> find a way around it, sooner or later.> But both sides will learn quite a bit about > computers and networking in the process, and that > has to be a positive benefit, right?I''ve learned the hard way that competing purely technically with a high school student body is not a good idea. There are hundreds of them and only one of me, they''ve got much more free time than I have, and they talk to each other a lot. So even though I could completely crush any one of them tomorrow, over time collectively they always win. They build on previous knowledge, and they often do things that "work" without much understanding. So although some students might "learn something" competing against me this year, next year I''d just have the whole student body laughing at me. I''ve learned to not challenge them. An aside webpage that says something like "Blocked - Ha Ha" is a very bad idea. Even saying "Blocked" isn''t so good. Much of what I do winds up just hanging for several tens of seconds and giving them no message at all. I''ve learned the worst thing to do is get into a tit-for-tat arms race with students. If I always stay just one jump ahead of them, they perceive it as a continuing challenge to keep up with me and sometimes pass me. So when I do occasionally resort to technical means, I hit them with OVERWHELMING FORCE. I implement several different prohibition methods all at once. They can''t tell when they''ve cracked one method because another method steps in immediately so the end result they see is still "doesn''t work". good luck! -Chuck Kollars ____________________________________________________________________________________ Boardwalk for $500? In 2007? Ha! Play Monopoly Here and Now (it''s updated for today''s economy) at Yahoo! Games. http://get.games.yahoo.com/proddesc?gamekey=monopolyherenow ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
well said chuck. i agree with this ''psychological'' approach... but pls do share with this list , for shorewall newbies admins like myself>Much of >what I do winds up just hanging for several tens of >seconds and giving them no message at all.more info pls> I > implement > several different prohibition methods all at once. > They can''t tell when they''ve cracked one method > because another method steps in immediately so the > end > result they see is still "doesn''t work". > > good luck! > > -Chuck Kollarsmore info pls. Regards, marco ____________________________________________________________________________________ Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433 ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On Fri, Aug 17, 2007 at 08:19:50PM -0700, Chuck Kollars wrote:> >> ... If it is necessary for you to resort to > >> technical means to try to enforce this, they''ll > >> find a way around it, sooner or later. > > > But both sides will learn quite a bit about > > computers and networking in the process, and that > pass me. So when I do occasionally resort to technical > means, I hit them with OVERWHELMING FORCE. I implement > several different prohibition methods all at once. > They can''t tell when they''ve cracked one methodSo, is that Chuck Kollars style, or Chuck NORRIS style? This is some pretty good advice gained from what appears to be a good bit of experience. Thank you for that, I appreciate it. Maybe it''s time to do what you''re talking about. One of the biggest barriers to do what the OP is attempting, I have found, is the existence of neihbors'' open wireless APs. Nothing you can do about that, except maybe offer to lock it down for them. For the original poster, there is not a ton that shorewall can do to achieve what you are asking about. It''s a firewall, or rather, a set of scripts that controls the IPtables firewall rules. As such, a good bit of it is pretty much on or off. You can allow access to certain networks/ports/etc. or you can deny it. Turning off particular computers'' access is one thing, but to go along with Chuck''s OVERWHELMING FORCE methodology, you will need to employ other tools. Some examples might be: Use squid for internet access. This proxy will give you more control of the content flowing through your router. On top of squid, put squidguard or Dansguardian for filtering, and such. I don''t know much about these: http://dansguardian.org Peruse the tools at Sectools (by nmap creator Fyodor) Check http://sectools.org PacketFence (poisons the arp cache to isolate network nodes) http://www.linuxjournal.com/article/9551 Monitor AIM usage: http://www.aimsniff.com Better forums for this discussion, as we''ve left the Shorewall realm: comp.os.linux.networking comp.os.linux.security -- In Vino Veritas http://astroturfgarden.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
thanx --- ktneely@astroturfgarden.com wrote:> > Some examples might be: > > Use squid for internet access. This proxy will give > you more control of the content flowing through your > router. > > On top of squid, put squidguard or Dansguardian for > filtering, and such. I don''t know much about these: > http://dansguardian.org > > Peruse the tools at Sectools (by nmap creator > Fyodor) > Check http://sectools.org > > PacketFence (poisons the arp cache to isolate > network nodes) > http://www.linuxjournal.com/article/9551 > > Monitor AIM usage: > http://www.aimsniff.com > > Better forums for this discussion, as we''ve left the > Shorewall realm: > comp.os.linux.networking > comp.os.linux.security > >____________________________________________________________________________________ Looking for a deal? Find great prices on flights and hotels with Yahoo! FareChase. http://farechase.yahoo.com/ ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/