Newbie Puzzler 2: The leaking date/time restrictions



  • UPDATED (see bottom)

    I have a son who will stay up all night watching videos if his internet access isn't cut off.

    To this end, I have implemented a simple date/time restriction scheme. It goes like this:

    1. all of his devices have DHCP4 reservations for IPv4 addresses based on the device's MAC address. These are 192.168.1.201 - 204
    2. An alias is setup for these 4 ip addresses
    3. A schedule is setup that has a range Mon - Sun 6:00 - 21:30
    4. Two rules are setup [update: LAN side]
        a) First rule: if the source matches the alias devices, and it meets the schedule, all the traffic is passed.
        b) Second rule: if the source matches the alias devices, all traffic is blocked.

    Given the sequential nature of pfSense rule evaluation, all his traffic during the schedule (6 AM - 9:30 PM) will have the rule evaluate to "True", so the second rule won't be evaluated. Once the time is outside of the schedule, the first rule will evaluate to "False" and the second rule will be evaluated to block all the traffic.

    Newbie Puzzler #2 Question:

    Some traffic still gets through outside of the schedule!

    I know what you're thinking - the State table. Nope - I trash all the states for his devices' connections.

    One device that leaks is an older iPad.  It only has IPv4 addressing. It gets address 192.168.1.203.
    Outside of the scheduled time,

    1. it cannot play YouTube videos. However, it can load the initial page of the video and show the static frame of the video.
    2. I can google anything and everything and google will return the results (it seems a little slower, though).
    3. I can go to Wikipedia and read articles to my heart's content.

    In the firewall log, I do see a lot of traffic being blocked - traffic to DNS servers.

    I run some packet capture from Diagnostics.
    I see traffic making it out to 17.253.5.202, which is an Apple server (ussjc2-vip-bx-002.aaplimg.com).
    I also see traffic to Wikipedia. I see traffic to Google.

    Here is the "block all" rule:

    The Newbie Puzzler Question 2 therefore is: how is some traffic getting in/out?
    The follow-up question would be: how can the rules be improved?

    UPDATE:
      It appears the older iPAD is not completely honest about it only have an IPv4 address. It also grabs an IPv6 address, which I found by examining the NDP table.If I hit the trashcan for its extry, it comes back immediately. 
      As updated above, the rules are on the LAN side. If I put the IPv6 rule on the WAN side, it blocks it.



  • Many of us experience this problem with not being able to properly limit our children's internet usage.

    We all have posted a similar predictament. On a PC for example, any online game they are playing will stop on schedule, but things like Teamspeak will stay active, and reconnect, even after I manually reset all states. I presume its because of UDP traffic - it has a way of sneaking through.

    We greatfully would like the firewall to block things thankyou.



  • @barkcow:

    I also see traffic to Wikipedia. I see traffic to Google.

    Traffic to Wikipedia coming from Andrew's device ? Are you sure ? Should not be IPv6 neither IPv6 - TCP/UDP ….

    It is possible that the youtube site shows something because all the html framework (and some scripts ?) is using long-time local browser cache values. So something shows because the browser "has already the info" - but no add's videos or whatever is dynamic.

    I just added the IPv4 and IPv6 to an alias named 'droite' and added a block rule.
    See  image.

    This device had still the possibility to 'see' local devices .... but nothing more.

    Edit :The day Andrew discovers this video throw Andrew behind a captive portal and make static DHCP leases using his MAC addresses - and refuse any other MAC. And ….
    But I'm not fighting my kids through a keyboard. I go one level down, grab the baseball bat and go 2 levels up ... Works great.




  • Edit :The day Andrew discovers this video throw Andrew behind a captive portal and make static DHCP leases using his MAC addresses - and refuse any other MAC

    If he ever figured that out, I was thinking of doing something like http://www.ex-parrot.com/~pete/upside-down-ternet.html and http://blog.g0tmi1k.com/2011/04/playing-with-traffic-squid/