[Firehol-support] limiting internet to certain periods of time

Tsaousis, Costa costa at tsaousis.gr
Sun Feb 12 16:09:18 GMT 2017 

Well you have several options:

The input of something is the output of something else and vice versa. So,
setup 2 blacklists one internet facing, the other lan facing.

But, you can also use src and dst. Something like this will block all
internet traffic:

lan="10.0.0.0/24"
backlist4 ... src "${lan}" dst not "${lan} 255.255.255.255"

255.255.255.255 I think is used by DHCP.

Keep in mind though the above will lead to timeouts on your PCs.

It is probably better to reject traffic (instead of dropping it) at the
firewall and use the command conntrack to remove the established
connections from the connection tracker (firehol will drop them
immediately).
There will be no timeouts if you use something like this.

Costa


On Sun, Feb 12, 2017 at 5:06 PM, Spike <spike at drba.org> wrote:

> Hello Costa,
>
> I'm doing just that and looks great, thanks. And thank you for mentioning
> the blacklist helper, very useful, especially for its stateless
> capabilities. I have a question about it: the gw/fw is also providing dhcp
> for the lan. During those given times I want hosts not to go online, but I
> still need them to be able to use dhcp etc. Can the blacklist be applied
> somehow to the outgoing/internet facing interface? I saw there is an inface
> attribute, but no outface one, but maybe it doesn't matter and I can just
> use inface on the outgoing ones?
>
> thanks,
>
> Spike
>
> On Fri, Feb 10, 2017 at 10:43 AM Tsaousis, Costa <costa at tsaousis.gr>
> wrote:
>
>> Hi Spike,
>>
>> You can use ipsets in firehol.conf and run cron jobs to add/remove IPs to
>> the already configured ipsets.
>> This works perfectly and does not need a restart of your firewall.
>>
>> Some special attention has to be given to established connections.
>> If you want even the established connections to be dropped, I suggest to
>> use blacklists which will examine all the traffic.
>>
>> The wiki and manual has information about both.
>>
>> Costa
>>
>>
>> On Fri, Feb 10, 2017 at 7:34 PM, Spike <spike at drba.org> wrote:
>>
>> Dear all,
>>
>> I need to restrict internet for certain clients based on time ranges. So
>> for example ip a.b.c.d should only be able to reach the internet between 5
>> and 6pm, while x.y.w.z only between 1-2pm.
>>
>> Before using firehol, I was accomplishing this by defining a custom chain
>> "timelimited" in the INPUT chain that would drop all traffic for the ips
>> it
>> contained. I would then have cron firing off at various intervals adding
>> and removing ips from "timelimited".
>>
>> What's the recommended way to implement this with firehol? I looked to see
>> if there was any utility for time based rules, but didn't find one.
>>
>> thanks,
>>
>> Spike
>>
>> _______________________________________________
>> Firehol-support mailing list
>> Firehol-support at lists.firehol.org
>> http://lists.firehol.org/mailman/listinfo/firehol-support
>>
>>
>>

More information about the Firehol-support mailing list