How to Schedule Internet Access?
-
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)? Should I use Source Type 'network' (which would allow me to change 127 to 32)? Should I set Protocol to 'any?' Can I use a separate rule for each computer or do I have to use an alias–if the latter, how do I create it?
-
…--this is why I was hoping someone would provide detailed instructions on how to do what I want to do.
Isn't that what I posted?
Post your rules, and one of us will help you. It's easy. It takes two rules, unless you have specific requirements you haven't shared.
-
O.K, thank you for pointing out the problems, but what are the correct solutions (e.g., the "127" in the host address entry appears to be fixed so I am unable to change it)?
-
O.K., so I used doktornotor's advise on how to create an alias (thank you), but do I really need to create the alias for all the devices for which I don't want the schedule blocking to apply as almabes did, or can I just create and use the alias for the devices I want blocked per the schedule as doktornotor seems to imply? It seems to me that the former method would turn into a bit of a headache, as I would have to add an address to the alias every time I add a new device I don't want blocked to my network. Would checking 'not' under Source in my firewall rule accomplish this or do I really need to create two rules?
-
No, you just need one alias for the blocked devices, used to allow access on the schedule. You set up another allow rule without any schedule with source using NOT that alias.
-
Thanks–I've got to go to work now, so I'll take this matter up again this evening.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
Thus the reason for me doing it the way I did it.
I have way more than 5 devices on my network. Establishing an alias with the devices was no big deal. I also set up DHCP reservations to keep my unlimited access device IPs from potentially changing. Security and control require administration.My old way was even more effective.
I unplugged the cable leading to their switch. Killed access immediately. -
Mmmm . . . yes, well I suppose that if there was a way to use a device's MAC address instead of its IP address the blocking might be more effective. I'm just trying to discourage my kids from staying up all night playing online games–if they are savvy enough to figure out that changing their computer's IP address might allow internet access late at night, I'll find out about it after not too long anyway. Even using almabes method has holes in it, as if an allowed device is shut off then someone could use its IP address to gain access. I might just try to use one rule to block all my devices as I seldom stay up late myself at my age.
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
Thanks!
-
Mine just stay up all night playing LAN games, now…until I threaten to flip the breaker to their area, or wake their asses up at 7:00 AM with Tchaikovsky's 1812 overture. Cannon fire at full volume can be effective alarm clocks.
Now that there's a managed switch in their area, I could just shutdown their ports, too, but I like Tchaikovsky.
-
If they're savvy enough to change an IP address they're savvy enough to change a MAC address. At least they'll be learning something.
-
If you (DHCP) hand out IPs only to known MACs (don't allow new MACs and static ARP) and they don't know valid MACs on the subnet not always turned on: How would they get internet access?
-
All they have to do is listen for a while and they'll have all the info they need. Sure, they might have to wait for a window when the spoofable MAC is offline. It is best classified as an inconvenience, but by no means is it meaningful security.
-
…and they don't know valid MACs on the subnet...
Ping-sweep and check the arp table. Then they know.
You need to isolate them to a separate network (physical or VLAN) AND prevent access to the unlimited network to have a chance.
-
By all means: If I find them whole night at their computer "doing homework" I would think about something like that.
But if I find them now and then with an offline game or translating some wiki articles for a software project I sleep pretty well with my design of security. I'm not the NSA.
And if they have considerably higher computing skills than I do, they deserve to be online :-D
There has to be some basic trust between kids and parents, otherwise your education is completely wrong. As on the level of society: If you think you have to (are entitled to) watch every step and move there is something severly going wrong on a very basic level…
-
There has to be some basic trust between kids and parents, otherwise your education is completely wrong.
It's you that talk about restricting your network, I only answered your question… ::)
Micromanaging the network down to MAC-address level means work and a hassle as soon as anything needs to be changed. That administrative effort could instead be put on logging that restrictions are obeyed. If that proves to not be enough, a separate VLAN is more effective and less work than trying to filter out specific nodes in a common LAN.
For me all of this is still some years away. My oldest is only 5 yet. :)
-
@P3R:
For me all of this is still some years away. My oldest is only 5 yet. :)
-
@P3R:
For me all of this is still some years away. My oldest is only 5 yet. :)
I wrote my first code when I was 7 taught by a computer science graduate with one of the first ZX81's. Never underestimate the learning potential of young minds if its kept fun & entertaining especially if they dont know its supposed to be hard otherwise they will put up psychological barriers to learning.
-
Never underestimate the learning potential of young minds…
I'm not and I'll be the one doing the teaching. I'd love to have another network administrator in the family, even if that means I'll eventually be outsmarted.
I started with a DIY ZX81 as well but I was a little older… ;)
-
O.K. guys, after all the philosophical debate and the fun, let's get back to my questions, please:
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
And, I also assume that I can use a single rule if I just block all devices on my network according to a schedule?
Thanks.