[Firehol-support] limiting internet to certain periods of time
Spike
spike at drba.org
Mon Feb 13 00:37:07 GMT 2017
thanks, I've ended up adding a c*lient all reject ipset:limited* in the
router (since I still want those ips to have access to the server it seemed
to belong there and not the interface section).
For conntracking removal, it turns out it's a bit of a pain/not going to
work: with the ipsets in some circumstances I'm using net, so blocking
192.168.1.0/24, but conntrack tools doesn't support that and doing a
--flush isn't good as there may be other legit connections going on. I've
done some googling and found a couple threads suggesting to "script
something around it".
That said I'm pretty much just trying to cut off http traffic so browsing a
new page would be a new connection anyway and conntracking isn't too much
of an issue.
thanks again for your help,
Spike
On Sun, Feb 12, 2017 at 8:09 AM Tsaousis, Costa <costa at tsaousis.gr> wrote:
Well you have several options:
The input of something is the output of something else and vice versa. So,
setup 2 blacklists one internet facing, the other lan facing.
But, you can also use src and dst. Something like this will block all
internet traffic:
lan="10.0.0.0/24"
backlist4 ... src "${lan}" dst not "${lan} 255.255.255.255"
255.255.255.255 I think is used by DHCP.
Keep in mind though the above will lead to timeouts on your PCs.
It is probably better to reject traffic (instead of dropping it) at the
firewall and use the command conntrack to remove the established
connections from the connection tracker (firehol will drop them
immediately).
There will be no timeouts if you use something like this.
Costa
On Sun, Feb 12, 2017 at 5:06 PM, Spike <spike at drba.org> wrote:
Hello Costa,
I'm doing just that and looks great, thanks. And thank you for mentioning
the blacklist helper, very useful, especially for its stateless
capabilities. I have a question about it: the gw/fw is also providing dhcp
for the lan. During those given times I want hosts not to go online, but I
still need them to be able to use dhcp etc. Can the blacklist be applied
somehow to the outgoing/internet facing interface? I saw there is an inface
attribute, but no outface one, but maybe it doesn't matter and I can just
use inface on the outgoing ones?
thanks,
Spike
On Fri, Feb 10, 2017 at 10:43 AM Tsaousis, Costa <costa at tsaousis.gr> wrote:
Hi Spike,
You can use ipsets in firehol.conf and run cron jobs to add/remove IPs to
the already configured ipsets.
This works perfectly and does not need a restart of your firewall.
Some special attention has to be given to established connections.
If you want even the established connections to be dropped, I suggest to
use blacklists which will examine all the traffic.
The wiki and manual has information about both.
Costa
On Fri, Feb 10, 2017 at 7:34 PM, Spike <spike at drba.org> wrote:
Dear all,
I need to restrict internet for certain clients based on time ranges. So
for example ip a.b.c.d should only be able to reach the internet between 5
and 6pm, while x.y.w.z only between 1-2pm.
Before using firehol, I was accomplishing this by defining a custom chain
"timelimited" in the INPUT chain that would drop all traffic for the ips it
contained. I would then have cron firing off at various intervals adding
and removing ips from "timelimited".
What's the recommended way to implement this with firehol? I looked to see
if there was any utility for time based rules, but didn't find one.
thanks,
Spike
_______________________________________________
Firehol-support mailing list
Firehol-support at lists.firehol.org
http://lists.firehol.org/mailman/listinfo/firehol-support
More information about the Firehol-support
mailing list