[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Time-limiting activities with pf



Dear All,

Some time ago (January 2004) there was a thread with the above subject (see below original text). I was wondering if anyone has actually tried this and has an implementation to offer as I would like to do exactly the same thing (and avoid reimplementing the wheel). Any pointers to sample pf.conf that can handle this kinf of thing would be very welcome.
Many thanks in advance,


--Nino



PS Original email request/response below:
--------------------------------------------------------------------------
From: Richard P. Koett (richard_(_at_)_cybernet-security_(_dot_)_com)
Subject: Time-limiting activities with pf
View this article only
Newsgroups: lucky.openbsd.misc
Date: 2004-01-03 15:15:34 PST

I would like to limit the amount of time my kids spend on certain
activities such as IM. I would apprectiate comments from anyone who can
improve on my ideas for implementation:

Goal:
Initially I considered only permitting IM at certain times of day, but
am now thinking that a limit on total time per day would be better.

Conditions:
My kids might run IM from any of three computers using static addresses.

Implementation Idea:
My idea is to use authpf to load/unload rules passing IM traffic. For
simplicity, I am considering a PuTTY client on their (Windows) desktops.
When they double-click the icon an ssh session begins to the firewall.
Inside this sessions a timer runs to track their total login time for
the day. When the time limit is exceeded their session will be killed.
To be nice, remaining time would be displayed and a warning issued
before termination. A cron job would reset the total time available each
night.

Advice sought:
1) Any better ideas than the above :)
2) Example rules for blocking/passing MSN Messenger. Of course I can
sniff this out myself but if anyone has already done the work and cares
to share... I recall reading somewhere that Messenger will tunnel over
TCP port 80, for example, if other ports are blocked. I really liked the
DNS poisoning suggestion posted previously on this list but don't think
it is best suited for this purpose.
3) Does anyone know what would happen to a Messenger user cut off by pf?
Would they appear offline to other users?
4) General ideas pertaining to time-related rules in pf. For example,
are there better methods than pfctl in conjunction with cron to
implement pf rules based on time-of-day?

RPK.
--------------------------------------------------------------------------
From: Jason Dixon (jason_(_at_)_dixongroup_(_dot_)_net)
Subject: Re: Time-limiting activities with pf
View this article only
Newsgroups: lucky.openbsd.misc
Date: 2004-01-03 15:40:07 PST

On Sat, 2004-01-03 at 18:10, Richard P. Koett wrote:
>I would like to limit the amount of time my kids spend on certain
>activities such as IM. I would apprectiate comments from anyone who can
>improve on my ideas for implementation:

Ah, the old "let's fix a social problem with a technical solution"
solution.  ;-)

If you go with the schedule-based approach, it's quite simple.  Setup a
table in your pf.conf to add their addresses to.  Make sure to enable it
with the persist option, so it doesn't get removed when it's empty.  Add
the relevant filter rule allowing IM traffic for that table.  Lastly,
use cron to add their addresses to the table at one time, then another
cron to delete their addresses from the table at the other time.

If you have problems implementing this, please post your details/errors.

--
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

_________________________________________________________________
Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail




Visit your host, monkey.org