A few basic questions about features from a NOOB -


  • LAYER 8 Global Moderator

    yeah mine was just an example of the command, I don't have any firewall rules blocking access on a schedule.  Just showing that I killed them, and they show all gone.  Then sure they will try and reconnect.  But in the posters case his new scheduled rule will prevent them from being created.



  • @l3lu3:

    How tech savvy is your kid? If it were me, I'd be running it against his MAC. At the least, most kids nowadays know how to change an IP address :P That can be spoofed as well, which returns to my original question, how tech savvy?

    My thought as well. By extension, the MAC address can often be changed too. You may have better success in a small network by blocking all network traffic EXCEPT the devices that you specifically want to allow during your restricted hours.



  • Thank you John and Chemlud  ;D

    It would have been perfect if, on using the schedules, functionality had been built in to kill states for that rule automatically, but this workaround will work too.

    @cneep:

    @l3lu3:

    How tech savvy is your kid? If it were me, I'd be running it against his MAC. At the least, most kids nowadays know how to change an IP address :P That can be spoofed as well, which returns to my original question, how tech savvy?

    My thought as well. By extension, the MAC address can often be changed too. You may have better success in a small network by blocking all network traffic EXCEPT the devices that you specifically want to allow during your restricted hours.

    Is it that easy to spoof your LAN-ip adress, from, say, Win7? For even kids?

    :o

    A partial workaround might be static IP with  deny unknown clients' on the DHCP-server(?) Of course, that also hardly is 100% fool proof, as kid might simply scan the LAN and take ip of parent (provided parent isn't online).



  • @Hollander:

    Is it that easy to spoof your LAN-ip adress, from, say, Win7? For even kids?

    :o

    All it takes is access to the device manager where the settings for the network adapter device offers you a field where you can enter the MAC address you want to use instead of the pre-programmed one.


  • Netgate Administrator

    @Hollander:

    For even kids?

    Especially for kids! They don't know it might be or should be difficult so they poke around until intil it's done. They've never known a computer that wasn't on the internet or a firewall that couldn't be eventually broken. Also they probably have a lot of friends who are also learning about this stuff and there's literally thousands of pages on the web explaining how to do it. Safer to assume kids know more than you!  ;)

    Steve



  • @stephenw10:

    Especially for kids! …

    DHCP, with static mapping based on MAC, with "deny unknown clients", with static ARP. What would be the work-around to get internet access? :-\

    EDIT: Cron job for killing states works apparently fine! However, it looks as if states for one of the users were already killed when the firewall went to "BLOCK"… strange...


  • Netgate Administrator

    I'm not saying that it's impossible to lock down a computer to prevent 'unauthorised' internet access. It's easy enough to put a security policy on a Windows box to prevent users changing the MAC but how many home computers have that?
    I'm just saying that most computer literate school age children have probably come up against some sort of web/connection filter at some point and those who are minded to do so have probably looked into ways to get around it. Someone they are friends with will have suggested finding the MAC of a local authorised machine from the ARP table and changing your MAC to it. That friend will then gain popularity for doing so. Everybody wins. Except the network admin/parents!

    It would be a mistake to assume that just because users are children they will not be familiar with basic networking. It's in their interests to keep you thinking they aren't.  ;)

    Steve



  • @chemlud:

    DHCP, with static mapping based on MAC, with "deny unknown clients", with static ARP. What would be the work-around to get internet access? :-\

    Exactly what my thinking was and then running the CRON jobs. I am even thinking of VLAN-ing him to keep him completely separate and isolated. I already have him setup on a guest wifi network that is isolated from us. So, now I guess I have to buy a smart or managed switch. The $$$$ keeps flying away! lol

    Kind of how it is setup on my DD-WRT router. Again, DD-WRT itself is 50/50 reliable and then there are fixes and new versions and then what was working doesn't work any more. lol I have a love/hate relationship with it. lol

    @stephenw10:

    I'm not saying that it's impossible to lock down a computer to prevent 'unauthorised' internet access. It's easy enough to put a security policy on a Windows box to prevent users changing the MAC but how many home computers have that?
    I'm just saying that most computer literate school age children have probably come up against some sort of web/connection filter at some point and those who are minded to do so have probably looked into ways to get around it. Someone they are friends with will have suggested finding the MAC of a local authorised machine from the ARP table and changing your MAC to it. That friend will then gain popularity for doing so. Everybody wins. Except the network admin/parents!

    It would be a mistake to assume that just because users are children they will not be familiar with basic networking. It's in their interests to keep you thinking they aren't.  ;)

    Steve

    Uhhhhh, YEP! lol Been through this. Trust me I am so freaking glad he is 19 now. From the time he was 14 it was a total battle royal. The parental software out there is a joke - Net Nanny, etc., I tried them all! The kids go to forums or chat and learn from each other how to hack it and bypass it. And the sw companies move like molasses when it comes to fixing their bugs. I spent 3 solid months playing email ping pong with Net Nanny actually helping them fix their own darn bugs and I just had had enough. By the time he was 17, I had to go to the extreme level. I literally had the machine locked down and frozen with Deep Freeze by Faronics with only his game folders and a homework folder on a separate isolated HD being the only things on his PC that he could alter. And it worked too! He was so pissed you could see the hate! lol I even had the BIOS locked with a password too.

    So now he is a 19 yr old college freshman about to become a sophomore and a full summer ahead of him and I am not going to deal with him PCing into the wee small hours. I will pull the router plug out if I have to and that is in a steel locked cabinet that he definitely can't get to. lol Hence, why I drool over something rock solid and automated to save me the stress.


  • Netgate Administrator

    Agreed, a separate interface is the way go for real security.
    Then put a super cheap switch between the router and the hostile machine. Power that switch from via timer. Done!  ;)

    Steve



  • @chemlud:

    @Hollander:

    Useful, John, thank you for this suggestion  ;D

    But, as always, I don't understand it: you first kill the states, then they are re-restablished by the system, then you have to kill them again via a cronjob? But won't they be established again then?

    Or more fundamentally: shouldnt the firewall schedule take care of this automatically? As in:  this is not a bug, it is a feature'? ( ;D )

    If you kill the states after a scheduled "end of internet access" the states can't be re-established…

    Lately I checked for states after "end of internet" and after the subsequent Cron job to kill all states and found for one of the IPs active states 1.5 hours after the end of internet… How can that happen?  :o

    I would like to monitor the states via email report, but unfortunately there is no log for the states and I don't know the command to be executed to post the current states of the box.... Can anybody help me out, please?  :)


  • LAYER 8 Global Moderator

    I showed you the command to list states for an IP, or all of them pfctl -ss

    You may need to kill both sides of the state..  When you kill the states, what do you show with the -ss for your host your worried about?  You may need to use the -k twice, etc.

    I would suggest you read the man on pfctl, I would of assumed that would of been step one after I gave the command example ;)

    http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8

    NAME
        pfctl - control the packet filter (PF) device

    SYNOPSIS
        pfctl [-deghnPqrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file]
              [-i interface] [-K host | network] [-k host | network | label | id]
              [-L statefile] [-o level] [-p device] [-S statefile]
              [-s modifier [-R id]] [-t table -T command [address …]]
              [-x level]



  • Yess, I must confess I started with Linux/BSD last fall, so I'm far from pro… Should invest a little more time, but currently it is a little bit too much around here. I'll do my very best  :D


  • LAYER 8 Global Moderator

    Huh?  From your title of the thread we understand your not a pro ;)

    Given a command, with examples that showed listing of states doesn't seem too far reaching to think the person with the interest the function would breeze over the doc for the command given..

    I would think the same thing be it a linux/bsd command or a windows cmd..  If I say told you to release your dhcp lease you could use ipconfig /releaseall

    Wouldn't you look up the command ipconfig?  Not like gave you example pfctl and then expected you to recompile your kernel ;)



  • cough I didn't start this thread, I actually hijacked it. cough, cough  ::)

    … but the pfctl does nicely what it is supposed to do with the mail report. Unfortunately the mail report allows eMails only at full hours (no minutes to be added to the job...). (edit: me idi**, found the jobs in Cron to edit the time of execution  ;)). However, very nice indeed!

    And I compiled my kernel with the router at the same time :P



  • It's absolutely fascinating:

    20:00 firewall turns off internet (block rule all IPs and all ports with schedule)
    20:02 all states are gone (pfctl -ss | grep <ip>via mail report, and checked by hand)

    however, as pidgin, thunderbird and firefox are still open on this particular computer:

    20:04 states (more than a dozen) to google (993) and to one of these infamous game servers (443) are up again (in both directions):

    re2 tcp 74.125.136.16:993 <- 10.xxx.xxx.xxx:38268      ESTABLISHED:ESTABLISHED
    re1 tcp 10.xxx.xxx.xxx:38268 -> 83.xxx.xxx.xxx:40101 -> 74.125.136.16:993      ESTABLISHED:ESTABLISHED

    or

    re2 tcp 216.66.6.120:443 <- 10.xxx.xxx.xxx:37596      ESTABLISHED:ESTABLISHED
    re1 tcp 10.xxx.xxx.xxx:37596 -> 83.xxx.xxx.xxx:44266 -> 216.66.6.120:443      ESTABLISHED:ESTABLISHED

    …for example...

    The Cron job to kill all states for this particular local IP doesn't change anything, all states present (again?) 5 minutes after the pfctl -k <ip>command.

    Only killing each and every state at once apparently really ends the game(s), so to say.</ip></ip>



  • @johnpoz:

    …  Or you could issue a pfctl -f state

    Which would kill all states - if possible target just his IP.. so doesn't break your connections.

    Actually, the correct command to kill all states is

    pfctl -F state

    (there is an error at the man page for pfctl at openBSD, there it is "states", which actually doesn't work… :-D )

    http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8


  • Netgate Administrator

    The pf in FreeBSD has moved significantly away from that in OpenBSD. Also the pf in pfSense is different to that in the base FreeBSD version so even this page may not be entirely correct. But, yes 'F' appears correct.  :)

    Steve



  • I found the easiest way to avoid all the hassle with killed connections and existing states etc was to take the other approach.

    make an alias for IP addresses you want to block called blocked
    make a schedule for the hours you want it to work named limits

    Firewall rules, LAN tab,
    first rule is the antilockout rule
    second rule says when the controlled devices ARE allowed on,
    allow source blocked  schedule limits
    third rule is
    allow source!blocked

    works very well.

    PS its trivial to get an app to change the mac address, so its not exactly fullproof.  I told my kid that its his reminder , not designed to be full proof.



  • …today I found some states (I think it was one of these game IPs) 1.5 hours after the block kicked in and a subsequent pfctl -F state.

    I don't believe any longer in any of those firewalls, rules, whatsoever. An open browser is apparently enough to restart the states, no idea how that works...



  • Try what I do.  I know it works because right on the hour, he walks out of his room and gets a snack every day.  If the game he was playing was still working, he would be still in there!.


  • LAYER 8 Global Moderator

    "1.5 hours after the block kicked in and a subsequent pfctl -F state."

    Your sure your command ran and cleared the states?  If pfctl -f or -F, clears the states and your rules don't allow traffic then something is clearly not right in the rules or the states were not cleared would be my guess.



  • I have a Cron job to do pfctrl -F state 1 min after the block rule kicks in (allow rules didn't work either and I had to have more than one, due to the general limitations on ports/IPs). An eMail Service says 1 h later:

    "This is a periodic report from your firewall

    Current report: states >NAME< 21:00

    Command output: states (pfctl -ss | grep 10.zzz.yyy.xxx)"

    i.e. there are no states, which I checked by hand several times. But half an hour later I found 6-8 states to this notorious ivony.com IP (216.66.6.120). Unfortunately I killed them and took no screenshot in advance…


  • LAYER 8 Global Moderator

    Can you post up your rules so we can take a look at what they are and what your trying to do..  I thought you wanted to block his access completely..  Off the top if your saying new states are being created when your trying block them, then your rules are not correct for what your trying to do.



  • Hello again and many thanks for your patience! :-)

    Here the first 3 rules of my LAN set. The first is the default, the second blocks some domain names (as in alias "blocklist") for the kids IPs (alias "junx", IPs are correct, trust me :-D ).

    The third rule blocks all WAN access according to a schedule called "majo", see below, which kicks in at 21:00. At 21:00 the eMail report for the states (pfctl -ss | grep 10.xxx.yyy.zzz) of one of the IPs blocked is EMPTY, completely empty, Null, NADA, NIENTE…

    EDIT: But I found now that this is not the truth, there ARE states alive at that time, checked by hand (Diagnostics -> States). What is wrong with the eMail report job? :o

    The browser at the kids computers is still alive at that time, of course. Two minutes later the Cron job does (?) its job

    pfctl -F state

    EDIT: However, the states are still alive, not in the eMail report (completely empty), but when I check manually. When I go to Status -> eMail Reports and press "Send now", there ARE states, but not according to the eMail sent out automatically.... STRANGE indeed!

    Now I'm no longer willing to watch this and do

    Diagnostics -> States -> filter for kids IP and press KILL

    States are gone now... dunno if they come up again if they manipulate with their browsers, normally they should NOT. ;)

    So actually the problem appears to be related to my Cron job and the eMail Reports on states send out. Apparently. Or any other explanations? ???

    ![firewallrules kids.JPG](/public/imported_attachments/1/firewallrules kids.JPG)
    ![firewallrules kids.JPG_thumb](/public/imported_attachments/1/firewallrules kids.JPG_thumb)
    ![schedule majo.JPG](/public/imported_attachments/1/schedule majo.JPG)
    ![schedule majo.JPG_thumb](/public/imported_attachments/1/schedule majo.JPG_thumb)


  • LAYER 8 Global Moderator

    Well another thing is when are the states being created from your schedule there is 1 minute while its off.  so at 23:59:01 its off til 23:59:59, then turns back on at 00:00

    Just pointing out a possible flaw..  You would need to validate that the states are gone..  Why your email says they are none, but when you check is odd yes.



  • Same game today:

    21:00 firewall block rule
    21:00 eMail report for "pfctl -ss | grep 10.XXX.YYY.ZZZ" COMPLETELY EMPTY
    21:01 Cron job "01  21  *  *  *  root  pfctl -F state"

    so far so good, but

    21:14 I check states for the blocked IP via Diagnostics -> States and find: 32 states alive AS WELL AS by press "SEND NOW" for the eMail Report job for 21:00, same result dozends of states alive…

    I erased the Cron job as well as the eMail report jobs yesterday and made them new. Makes no difference, as you see. Don't know what to do next...



  • Question:

    Found this in my logs:

    php: rc.start_packages: The command '/usr/local/etc/rc.d/cron.sh stop' returned exit code '1', the output was ''

    Might this result in impaired Cron functionality?


  • Netgate Administrator

    That's not necessarily a problem. Cron is stopped and restarted along with all packages, usually in response to an IP change on one of your interfaces though could be a config change etc. As long as it starts again correctly it shouldn't be causing an issue though you could end up with multiple instances if it wasn't stopped correctly for example.

    Steve



  • Status -> Services shows Cron as up and running

    Diagnostics -> Sockets shows only one instance for Cron

    Re-installed Cron package, but I still don't see proper functioning, as apparently the states are not killed (pfctl -F state) and the output from eMail reports (performed via Cron jobs) doesn't provide accurate information on the states present.

    No idea why…



  • ..got an idea why. Question:

    In wich directory are the commands executed in the Diagnosics -> Execute Command window of the GUI?

    Is it /usr/bin/ ?

    That could make my Cron job for killing states work, if I find the right directory to execute the Cron job in…


  • Moderator

    To display the location of your current working directory, enter the command

    pwd

    The output should look similar to:

    /home/user



  • Hey, many thanx!

    Apparently it's

    /usr/local/www

    … I'll try that this evening... :-D


  • Netgate Administrator

    Make sure you use the absolute path to all the commands in your cron job. That way it doesn't matter where it's executed from.
    Edit: Or, importantly, that the process executing the cron job may not have the same default paths as a shell prompt.

    Steve



  • Definitely! But at first you have to know the correct absolute path!  ;)


  • Moderator

    Stephen is correct always use absolute paths in the scripts.

    To find the location of a file, you can run the following command.

    find / -name pfctl



  • OK, then it should be /sbin/pfctl … Try this today

    What I really don't understand is the problem with the eMail Reports. When I press "Send Now" at the setup page for the respective job everything is fine and the eMail contains the information on the states for the requested IP. But when the Cron runs the respective php script the eMail contains no states at all... tried the /sbin/ path for the eMail Report command, too, let's see if it works... :-D


  • Moderator

    Can you post the commandline?



  • @chemlud:

    ….
    21:00 eMail report for "pfctl -ss | grep 10.XXX.YYY.ZZZ" COMPLETELY EMPTY
    ...

    ;)

    Edit: Crazy, I tried the command (without /sbin/) on another box for a different IP (without a block rule at the firewall tab) and there the Cron-sent eMail Report is correct, including the states info for the requested IP. Dunno what's wrong here…


  • Moderator

    I set that command to run and it emailed thru without issue. I did include " " around the IP address thou.

    /sbin/pfctl -ss | grep "10.XXX.YYY.ZZZ"



  • See my edit above, worked for me without the "" for the IP, but not on the box I need the command to work.  Unfortunately the eMail Report page of the GUI allows no minutes to be entered, so only every full hour the job can be tested…

    To be continued... :-)

    Edith:

    Cron job with

    /sbin/pfctl -k 10.XXX.YYY.ZZZ

    1 minute after the block rule WORKED! PAAARTY!  8)

    And the eMail Report for
    pfctl -ss | grep 10.XXX.YYY.ZZZ

    gave no output, while

    /sbin/pfctl -ss | grep 10.XXX.YYY.ZZZ

    correctly reported the states!

    Problems solved, Block rule works


Log in to reply