Re: Limiting internet access by time
On Sat, Aug 06, 2016 at 04:56:06AM +0000, Mark Fletcher wrote:
> On Sat, Aug 6, 2016 at 2:48 AM Dan Ritter <dsr@randomstring.org> wrote:
>
> > On Fri, Aug 05, 2016 at 03:49:28PM +0000, Mark Fletcher wrote:
> > > On Fri, Aug 5, 2016 at 11:04 PM Brian <ad44@cityscape.co.uk> wrote:
> > >
> > > I didn't mention earlier, and I'm not sure if it is relevant, but the
> > > computer connects via WiFi to my access point, which is also my network's
> > > internet gateway -- with an LFS box between it and the cable modem as a
> > > dedicated firewall. I don't trust the non-free firewall in the AP,
> > although
> > > I have left it on. The rest of my network is not to be subject to this
> > 9pm
> > > curfew. And I would ideally like connectivity between this machine and
> > the
> > > rest of my local network to remain even when the internet is denied to
> > this
> > > machine, so I can do remote maintenance when he's not using the machine,
> > > for example.
> >
> >
> > I have a new suggestion, based on this.
> >
> > Do all the filtering on your LFS box.
> >
> > Match your kid's machine by MAC address.
> >
> > Write two tiny scripts:
> >
> > #!/bin/sh
> > iptables -D FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP
> >
> >
> > #!/bin/sh
> > iptables -I FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP
> >
> > (substituting in the appropriate MAC address for the machine, of
> > course)
> >
> > and run the first one at 9 PM to disable internet access, and
> > run the second one at 8 AM or whatever to re-enable it. Cron is
> > your friend.
> >
> > The LFS box (and yes that is Linux From Scratch, all my other "real"
> computers are Debian) sits between my AP (wireless & wired) and the cable
> modem ie the wilds of the Internet. Used to be that the AP was plugged
> straight into the cable modem, but about 6 months ago or so I set up this
> LFS box using an ASUS mini PC, about 10% out of concern for what weaknesses
> my AP's firewall might have that I didn't and never would know about, and
> 90% just to see if I could. The WAN port of the AP goes into one interface
> of the firewall, the other goes to the cable modem. All my computers other
> than the firewall itself are connected, wired or wireless, to the AP. The
> wireless card built into the firewall box is disabled.
>
> Since the AP is doing NAT, as I believe is normal for such a device that
> thinks it is the last line of defence between the network and the Internet,
> I am not sure that the LFS firewall machine will be able to see the MAC
> addresses of the computers on my LAN. I just tried to do an experiment
> involving logging in iptables on the firewall, but the logged information
> doesn't seem to include MAC address so I couldn't check.
>
> If in fact, I can expect the firewall to be able to see source computer LAN
> mac addresses in this configuration, that has all sorts of other positive
> implications which I would get excited about. I'd just assumed it wouldn't
> be possible due to the layer of indirection provided by the AP.
>
Got it. You can change that by removing NAT from the AP. For
instance, plug your switch into a LAN port instead of the WAN
port:
cable modem -- LFS -- switch ---- (LAN port) AP ---- wifi client
| \___ wifi client
|
---- other wired machines
You can either set up a flat addressing space, perhaps with a
range reserved for DHCP machines and the rest doing static, or
you can route at the LFS machine and the AP. I would recommend
a flat space unless you have a really large (>25) number of
machines. That's what I do.
I also have my equivalent of your LFS running dhcpd for the
whole network, rather than having another configuration point
on the AP to worry about. All filtering can be done there.
-dsr-
Reply to: