How to Schedule Internet Access?
-
Now, please understand that unless you have a complete control over the IPs used on all machines, anyone can bypass the limited access by grabbing an IP outside of the limited hosts alias.
Thus the reason for me doing it the way I did it.
I have way more than 5 devices on my network. Establishing an alias with the devices was no big deal. I also set up DHCP reservations to keep my unlimited access device IPs from potentially changing. Security and control require administration.My old way was even more effective.
I unplugged the cable leading to their switch. Killed access immediately. -
Mmmm . . . yes, well I suppose that if there was a way to use a device's MAC address instead of its IP address the blocking might be more effective. I'm just trying to discourage my kids from staying up all night playing online games–if they are savvy enough to figure out that changing their computer's IP address might allow internet access late at night, I'll find out about it after not too long anyway. Even using almabes method has holes in it, as if an allowed device is shut off then someone could use its IP address to gain access. I might just try to use one rule to block all my devices as I seldom stay up late myself at my age.
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
Thanks!
-
Mine just stay up all night playing LAN games, now…until I threaten to flip the breaker to their area, or wake their asses up at 7:00 AM with Tchaikovsky's 1812 overture. Cannon fire at full volume can be effective alarm clocks.
Now that there's a managed switch in their area, I could just shutdown their ports, too, but I like Tchaikovsky.
-
If they're savvy enough to change an IP address they're savvy enough to change a MAC address. At least they'll be learning something.
-
If you (DHCP) hand out IPs only to known MACs (don't allow new MACs and static ARP) and they don't know valid MACs on the subnet not always turned on: How would they get internet access?
-
All they have to do is listen for a while and they'll have all the info they need. Sure, they might have to wait for a window when the spoofable MAC is offline. It is best classified as an inconvenience, but by no means is it meaningful security.
-
…and they don't know valid MACs on the subnet...
Ping-sweep and check the arp table. Then they know.
You need to isolate them to a separate network (physical or VLAN) AND prevent access to the unlimited network to have a chance.
-
By all means: If I find them whole night at their computer "doing homework" I would think about something like that.
But if I find them now and then with an offline game or translating some wiki articles for a software project I sleep pretty well with my design of security. I'm not the NSA.
And if they have considerably higher computing skills than I do, they deserve to be online :-D
There has to be some basic trust between kids and parents, otherwise your education is completely wrong. As on the level of society: If you think you have to (are entitled to) watch every step and move there is something severly going wrong on a very basic level…
-
There has to be some basic trust between kids and parents, otherwise your education is completely wrong.
It's you that talk about restricting your network, I only answered your question… ::)
Micromanaging the network down to MAC-address level means work and a hassle as soon as anything needs to be changed. That administrative effort could instead be put on logging that restrictions are obeyed. If that proves to not be enough, a separate VLAN is more effective and less work than trying to filter out specific nodes in a common LAN.
For me all of this is still some years away. My oldest is only 5 yet. :)
-
-
@P3R:
For me all of this is still some years away. My oldest is only 5 yet. :)
I wrote my first code when I was 7 taught by a computer science graduate with one of the first ZX81's. Never underestimate the learning potential of young minds if its kept fun & entertaining especially if they dont know its supposed to be hard otherwise they will put up psychological barriers to learning.
-
Never underestimate the learning potential of young minds…
I'm not and I'll be the one doing the teaching. I'd love to have another network administrator in the family, even if that means I'll eventually be outsmarted.
I started with a DIY ZX81 as well but I was a little older… ;)
-
O.K. guys, after all the philosophical debate and the fun, let's get back to my questions, please:
I assume that using these rules won't affect my default rules (e.g., "bogon," etc.)?
Also, I highlighted the days of the week of the current month and set the times of days in the scheduler; will this keep the schedule in perpetuity or do I need to do something else?
And, I also assume that I can use a single rule if I just block all devices on my network according to a schedule?
Thanks.
-
https://forum.pfsense.org/index.php?topic=94678.msg526090#msg526090
Don't use scheduled BLOCK rules, broken!
Schedule ALLOW rules!
-
Without a screen shot of ALL your rules, I couldn't say for sure.
The bogon rules are on the WAN interface.
But the point of adding rules to the firewall is to NOT have the default activity.Post a screen shot of your schedule, but sounds like it's set up to run in perpetuity.
A single rule will do the job, if you have a single entity on a single interface you wish to regulate.
Again, don't schedule a BLOCK rule. Schedule a PASS rule. The firewall won't kill states if you have a block rule that becomes effective. It WILL kill states if you have a PASS rule that disables.
And if you have late to all night LAN gaming issues, Wagner's Die Valkyrie, or Tchaikovsky's 1812 overture played at high volume in the early morning tends to nip that in the bud pretty quick, at least around here. I haven't had to fire up the turntable in the morning in at least a couple of months.
-
I prefer the 1958 Dorati recording. :-*
-
The Host DNS Server Override Blocker rule prevents a host from specifying its own DNS addresses and the DayPass rule is what I implemented in relation to this topic; the rest of my rules are the pfSense defaults.
-
Your top allow rule is not specific enough. Create an alias containing only all the addresses you want to allow and use the alias or your source address. After you do that, you're golden.
Right now your rules say:
BLOCK external dns.
PASS any traffic from my LAN net arriving on the LAN interface destined for any host or service anywhere.
PASS any traffic from any address arriving on the LAN interface destined for any host or service anywhere, only between these times.First applicable rule wins.
You want them to say:
BLOCK external dns.
PASS any traffic from alias unlimited_access arriving on the LAN interface destined for any host or service anywhere.
PASS any traffic from any address arriving on the LAN interface destined for any host or service anywhere, only between these times.Then, if you need to add a host to the unlimited_access alias, you just edit it, hit apply and your device surfs without a schedule.
-
Don't use scheduled BLOCK rules, broken!
Not broken. Design choice. If you thought about it for two minutes you'd understand why.
-
I thought about that for MONTHS now and as a dumb firewall user I came to the final conclusion:
I want all states to be killed if I set up a block rule.
What I don't get: Why did the update to 2.2 also take away the option to kill states by pfctl -k? It worked definitely before, as I said, I get an email with the states every evening before and after block/states killing cron job. It worked before! But now I have to kill all states after the block rule to cut off exisiting states.
