[Firehol-support] Limiting daily usage of web videos?
Tsaousis, Costa
costa at tsaousis.gr
Tue Feb 10 00:52:02 CET 2015
What I do is a bit different.
Every kid is different. My daughter wants to be on facebook for hours.
My son plays online games or chats with his friends using skype. I try
not to enforce what they do, but only when they do it and how much of
it they do.
We have pre-agreed times that internet access is allowed. We discussed
this together and they picked what best suited their needs, based on
their afternoon activities (sports, etc).
So, there is a cron job that enables and disables internet access a
different time every day (even twice a day). On Saturday and Sunday
internet is on.
Things we find useful and probably they need at school are always on:
google search, educational sites, dns, etc. I do url filtering with a
squid, and packet filtering with firehol for everything else.
For exceptions, my wife can enable or disable full internet access by
calling my asterisk, with a pin.
This is my /usr/local/sbin/parental-control.sh script (my home used
lan IPs 10.11.12.0/24):
---
#!/bin/sh
[ "root" != "$USER" ] && exec sudo $0 "$@"
# LAN IPs that always have internet access
whitelist="
...LAN IPs...
"
# LAN IPs that are used by the parents only
parents="
...LAN IPs...
"
# Internet IPs and domains
good_destinations="... INTERNET IPs ..."
good_domains=".google.com .google.gr .wikipedia.org ...DOMAINs..."
clear() {
iptables -t filter --flush PARENTAL
# allow the good destinations
for x in $good_destinations
do
iptables -t filter -A PARENTAL -d $x -j ACCEPT
done
}
block() {
for x in $*
do
iptables -t filter -A PARENTAL -p tcp -s $x -j REJECT
--reject-with tcp-reset
iptables -t filter -A PARENTAL -s $x -j REJECT
done
}
allow() {
for x in $*
do
iptables -t filter -A PARENTAL -s $x -j ACCEPT
done
}
gen_squid_acl() {
echo "acl home src 10.11.12.0/24"
for x in $good_domains
do
echo "acl good_domains dstdomain $x"
done
for x in $*
do
echo "acl parents src $x"
done
echo "http_access allow parents"
echo "http_access allow good_domains"
echo "http_access deny home"
echo "deny_info ERR_CUSTOM_ACCESS_DENIED home"
}
case "$1" in
parents)
echo >&2 "Enabling PARENTS DEVICES access only"
clear
allow $whitelist
allow $parents
block 0.0.0.0/0
gen_squid_acl $whitelist $parents >/etc/squid/block_acl.conf
/etc/init.d/squid reload
;;
enable)
echo >&2 "Enabling FULL parental control"
clear
allow $whitelist
block 0.0.0.0/0
gen_squid_acl $whitelist >/etc/squid/block_acl.conf
/etc/init.d/squid reload
;;
disable)
echo >&2 "Disabling parental control"
clear
allow 0.0.0.0/0
echo >/etc/squid/block_acl.conf
/etc/init.d/squid reload
;;
*)
echo >&2 "Either 'enable' or 'disable' or 'parents'
should be given."
exit 1
;;
esac
---
on squid.conf I have this line below the acls it has by default:
include /etc/squid/block_acl.con
in firehol.conf I have this:
---
# at the top - you need the latest firehol from github for this
# the syntax on previous versions was different
action PARENTAL chain ACCEPT
# this is the parental router - it must be the first router you have
router4 policyrouter inface any outface "${lan}" src not 10.11.12.0/24
dst 10.11.12.0/24
client all PARENTAL
---
This is my crontab:
00 22 * * * root /usr/local/sbin/parental-control.sh disable
00 23 * * 1-4 root /usr/local/sbin/parental-control.sh parents
0 1 * * * root /usr/local/sbin/parental-control.sh disable
0 13 * * 1-4 root /usr/local/sbin/parental-control.sh enable
45 14 * * * root /usr/local/sbin/parental-control.sh disable
30 15 * * 1-4 root /usr/local/sbin/parental-control.sh enable
and this is extensions.conf on asterisk:
[parental-menu]
include => master-hangup
exten => s,1,Answer()
same => n,Set(CHANNEL(language)=gr)
same => n(loop),Background(gr/parental-menu-menu)
same => n,WaitExten()
exten => t,1,Goto(s,loop)
exten => i,1,Goto(s,loop)
exten => PIN0,1,NoOp(Pressed ${EXTEN})
same => n,system(/usr/local/sbin/parental-control.sh enable
>/tmp/parental.log 2>&1)
same => n,Playback(parental-enabled)
same => n,Goto(s,loop)
exten => PIN1,1,NoOp(Pressed ${EXTEN})
same => n,system(/usr/local/sbin/parental-control.sh disable
>/tmp/parental.log 2>&1)
same => n,Playback(parental-disabled)
same => n,Goto(s,loop)
exten => PIN2,1,NoOp(Pressed ${EXTEN})
same => n,system(/usr/local/sbin/parental-control.sh parents
>/tmp/parental.log 2>&1)
same => n,Playback(parental-parents)
same => n,Goto(s,loop)
where PIN is the PIN my wife uses.
Also asterisk will need this line is sudoers to allow the script run as root:
asterisk ALL=(root) NOPASSWD: /usr/local/sbin/parental-control.sh
I hope these help...
Costa
On Mon, Feb 9, 2015 at 10:17 PM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Hello,
>
> This is likely a wrong forum to ask this one but anyway bast what i know.
>
> I trying to find way to limit my kids "video" time in day. They mostly use
> YouTube from their tablet's and computers.
> Does someone have idea how i can monitor time spent on site per host? It's
> pretty simple to drop incoming packed when time is exceeded.
> There is time based rules but what i want is to give example 1h token every
> day what kid can spend on many pieces.
>
>
> Only idea what i have is to write script what coutting traffing to/from
> youtube every second and control packed based this information.
>
> All ideas are valued :-)
>
> Tommi
>
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list