PfSense and Parental Controls (using DNS blocking and Cron to bring interfaces up and down)
-
Hey all,
I'm trying to manage my stepsons Internet time and access of inappropriate sites using pfSense.
Previously we used Blue Coats K9 on the local machine for parental controls and it worked (with mixed success) but apparently Symantec bought Blue Coat and shut down K9, so it is no longer an option.
So, time to think of a new strategy.
First off, for a home setup, mine is unusually complex. I'm a little bit of an enthusiast, so please just roll with it.
A while back I caught him doing things I disapproved of on the network, so I decided that in order to not let him hose the rest of my network, just in case, I'd move his machine to its own dedicated VLAN with it's own private IP subnet firewalled off from the rest of the network (but with gateway access)
So, on Pfsense he is connected to the ix.5 interface (via a series of VLAN's configured via trunks between switches before it reaches him.
First step was to get some level of web filtering. I already use pfBlocker-NG, but it seemed needlessly complex to try to configure that with different filter sets across VLAN's, and I couldn't figure out what each of the filter sets in the long list of them are for anyway, so I quickly abandoned that.
Next I decided to add the two DNS servers for OpenDNS Family Shield (208.67.222.123, 208.67.220.123) to just his subnet. This seems to work, but if he figures out how to change DNS servers it won't for long.
I created custom rules on his VLAN to allow the two OpenDNS servers, but to block all other DNS servers as follows:
But this doesn't seem to have worked. For whatever reason, instead of allowing DNS traffic to those two IP's it seems to block ALL DNS traffic. Any suggestions appreciated here.
Next, to control usage times, I created two small "scripts" as follows in /usr/local/bin:
wup.sh:
#!/bin/sh ifconfig ix1.5 up exit 0
and
wdown.sh:#!/bin/sh ifconfig ix1.5 down exit 0
with corresponding cron rules as follows:
I figure this ought to take the entire interface to his VLAN offline and block internet access outside of hours we approve of.
So, if you are still with me I have a few questions.
1.) Is there a more elegant way to do this, or does my strategy seem to make sense?
2.) Can anyone help me figure out why my Open DNS pass rules don't seem to be working?
In the DHCP server service, I have changed the DNS servers for just his VLAN interface to include the two IP addresses for the OpenDNS free family service. I have checked on his local machine, and those two DNS servers are assigned to the machine, and work as intended, until I add my firewall rules described above intended to block the use of any other DNS server. Appreciate any suggestions on what I might have done wrong, and what can fix it.
3.) I havent spent much time with the pfSense cron package in the past. Does it use local time (as configured in the web interface) or UTC?
4.) Does the pfsense package cron list get saved in a traditional crontab anywhere? I was trying to edit the crontab from the command line using crontab -e, but nothing from this list was present. The crontab there is just blank.
Appreciate any assistance!
Edit:
I realized after the fact that while I intended this to be a thread asking questions about the Cron package, I also drifted into firewall rules questions, so I have started a separate thread in the firewall section specifically for the firewall portion of my issues. Sorry about the miscategorization.
--Matt