On Fri 05 Aug 2016 at 12:00:28 +0100, Lisi Reisz wrote:
> On Friday 05 August 2016 11:40:28 Brian wrote:
Let us look at this from a different angle. If the machine is given a
fixed address it negates the need for dhcp checking, If, additionally,
no gateway to the internet is specified there would be no access to the
internet at any time.
For an always-on machine cron jobs could switch routing at 9am and 9pm.
If the machine was rebooted after 9pm there would be no internet. A
reboot after 9am presents a problem. This could be solved by having cron
check every five minutes between 9am and 9pm and providing a gateway to
the internet.
Sticking with the idea of using a systemd service file, the script it
runs would check the time and alter the routing table when necessary.
Neither cron nor iptables need come into the picture.
Thanks Brian. My thinking was that although this machine won't be on all the time, it will be started and stopped at unpredictable times. I wanted to have a situation where if it is brought up during allowed hours, the internet works. If it is brought up during not-allowed hours, it doesn't, until 9am arrives, at which point it starts working. So if my son gets out of bed at 3am and fires up the computer, he gets nowhere (at least until he figures out how to hack into my own machine and run an ssh session with X forwarding... but if he figures that out without my help I'm almost inclined to reward him by turning a blind eye :-) )
Similarly, if he is surfing away on it at 9pm, well by then he is supposed to be at least in the bath if not in bed, so the computer's internet connection sets an example by going to sleep...
If he leaves it on, I want it to connect and disconnect automatically at the appropriate times, and if he doesn't, I want it to come up in the right state. If I leave a hole in this that can be exploited without strong technical skills, I'm confident he'll find it...
I could give the box a fixed IP but I have always used DHCP on my local network and don't want to disturb my habits more than necessary for this. Also this would get rid of the need for DHCP but wouldn't get rid of NTP calls, and then I'd get them vomiting all over the logs when they fail to connect. Not a big problem, certainly, but an elegant solution would avoid it.
I didn't mention earlier, and I'm not sure if it is relevant, but the computer connects via WiFi to my access point, which is also my network's internet gateway -- with an LFS box between it and the cable modem as a dedicated firewall. I don't trust the non-free firewall in the AP, although I have left it on. The rest of my network is not to be subject to this 9pm curfew. And I would ideally like connectivity between this machine and the rest of my local network to remain even when the internet is denied to this machine, so I can do remote maintenance when he's not using the machine, for example. If I monkey around with the default routing as you are suggesting, does that have any negative implications for connectivity to the rest of my local network? Finally, I am afraid I did not understand the point you made about how cron can be avoided. If the machine's up when 9pm arrives, I want internet connectivity to die so I can prise him off the computer and get him to bed. In your idea, how can I make that happen without a cron job?
Thanks
Mark