[Firehol-support] Limiting daily usage of web videos?

Tsaousis, Costa costa at tsaousis.gr
Mon Feb 9 23:52:02 GMT 2015


What I do is a bit different.

Every kid is different. My daughter wants to be on facebook for hours.
My son plays online games or chats with his friends using skype. I try
not to enforce what they do, but only when they do it and how much of
it they do.

We have pre-agreed times that internet access is allowed. We discussed
this together and they picked what best suited their needs, based on
their afternoon activities (sports, etc).

So, there is a cron job that enables and disables internet access a
different time every day (even twice a day). On Saturday and Sunday
internet is on.

Things we find useful and probably they need at school are always on:
google search, educational sites, dns, etc. I do url filtering with a
squid, and packet filtering with firehol for everything else.

For exceptions, my wife can enable or disable full internet access by
calling my asterisk, with a pin.

This is my /usr/local/sbin/parental-control.sh script (my home used
lan IPs 10.11.12.0/24):

---

#!/bin/sh

[ "root" != "$USER" ] && exec sudo $0 "$@"

# LAN IPs that always have internet access
whitelist="
...LAN IPs...
"

# LAN IPs that are used by the parents only
parents="
...LAN IPs...
"

# Internet IPs and domains
good_destinations="... INTERNET IPs ..."
good_domains=".google.com .google.gr .wikipedia.org ...DOMAINs..."

clear() {
        iptables -t filter --flush PARENTAL

        # allow the good destinations
        for x in $good_destinations
        do
                iptables -t filter -A PARENTAL -d $x -j ACCEPT
        done
}

block() {
        for x in $*
        do
                iptables -t filter -A PARENTAL -p tcp -s $x -j REJECT
--reject-with tcp-reset
                iptables -t filter -A PARENTAL        -s $x -j REJECT
        done
}

allow() {
        for x in $*
        do
                iptables -t filter -A PARENTAL -s $x -j ACCEPT
        done
}

gen_squid_acl() {
        echo "acl home src 10.11.12.0/24"

        for x in $good_domains
        do
                echo "acl good_domains dstdomain $x"
        done

        for x in $*
        do
                echo "acl parents src $x"
        done
        echo "http_access allow parents"
        echo "http_access allow good_domains"
        echo "http_access deny home"
        echo "deny_info ERR_CUSTOM_ACCESS_DENIED home"
}

case "$1" in
        parents)
                echo >&2 "Enabling PARENTS DEVICES access only"
                clear
                allow $whitelist
                allow $parents
                block 0.0.0.0/0
                gen_squid_acl $whitelist $parents >/etc/squid/block_acl.conf
                /etc/init.d/squid reload
                ;;

        enable)
                echo >&2 "Enabling FULL parental control"
                clear
                allow $whitelist
                block 0.0.0.0/0
                gen_squid_acl $whitelist >/etc/squid/block_acl.conf
                /etc/init.d/squid reload
                ;;

        disable)
                echo >&2 "Disabling parental control"
                clear
                allow 0.0.0.0/0
                echo >/etc/squid/block_acl.conf
                /etc/init.d/squid reload
                ;;

        *)
                echo >&2 "Either 'enable' or 'disable' or 'parents'
should be given."
                exit 1
                ;;
esac

---

on squid.conf I have this line below the acls it has by default:

include /etc/squid/block_acl.con


in firehol.conf I have this:

---

# at the top - you need the latest firehol from github for this
# the syntax on previous versions was different
action PARENTAL chain ACCEPT

# this is the parental router - it must be the first router you have
router4 policyrouter inface any outface "${lan}" src not 10.11.12.0/24
dst 10.11.12.0/24
        client all PARENTAL

---

This is my crontab:

00 22 * * *     root    /usr/local/sbin/parental-control.sh disable
00 23 * * 1-4   root    /usr/local/sbin/parental-control.sh parents
0 1 * * *       root    /usr/local/sbin/parental-control.sh disable

0 13 * * 1-4    root    /usr/local/sbin/parental-control.sh enable
45 14 * * *     root    /usr/local/sbin/parental-control.sh disable
30 15 * * 1-4   root    /usr/local/sbin/parental-control.sh enable

and this is extensions.conf on asterisk:

[parental-menu]
include => master-hangup

exten => s,1,Answer()
        same => n,Set(CHANNEL(language)=gr)
        same => n(loop),Background(gr/parental-menu-menu)
        same => n,WaitExten()

exten => t,1,Goto(s,loop)
exten => i,1,Goto(s,loop)

exten => PIN0,1,NoOp(Pressed ${EXTEN})
        same => n,system(/usr/local/sbin/parental-control.sh enable
>/tmp/parental.log 2>&1)
        same => n,Playback(parental-enabled)
        same => n,Goto(s,loop)

exten => PIN1,1,NoOp(Pressed ${EXTEN})
        same => n,system(/usr/local/sbin/parental-control.sh disable
>/tmp/parental.log 2>&1)
        same => n,Playback(parental-disabled)
        same => n,Goto(s,loop)

exten => PIN2,1,NoOp(Pressed ${EXTEN})
        same => n,system(/usr/local/sbin/parental-control.sh parents
>/tmp/parental.log 2>&1)
        same => n,Playback(parental-parents)
        same => n,Goto(s,loop)

where PIN is the PIN my wife uses.

Also asterisk will need this line is sudoers to allow the script run as root:

asterisk ALL=(root) NOPASSWD: /usr/local/sbin/parental-control.sh


I hope these help...

Costa

On Mon, Feb 9, 2015 at 10:17 PM, Tommi Lundell <tommi.lundell at kapsi.fi> wrote:
> Hello,
>
> This is likely a wrong forum to ask this one but anyway bast what i know.
>
> I trying to find way to limit my kids "video" time in day. They mostly use
> YouTube from their tablet's and computers.
> Does someone have idea how i can monitor time spent on site per host? It's
> pretty simple to drop incoming packed when time is exceeded.
> There is time based rules but what i want is to give example 1h token every
> day what kid can spend on many pieces.
>
>
> Only idea what i have is to write script what coutting traffing to/from
> youtube every second and control packed based this information.
>
> All ideas are valued :-)
>
> Tommi
>
>
>
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.firehol.org
> http://lists.firehol.org/mailman/listinfo/firehol-support



More information about the Firehol-support mailing list