On Sat, Aug 6, 2016 at 2:48 AM Dan Ritter <d...@randomstring.org> wrote:
> On Fri, Aug 05, 2016 at 03:49:28PM +0000, Mark Fletcher wrote: > > On Fri, Aug 5, 2016 at 11:04 PM Brian <a...@cityscape.co.uk> wrote: > > > > I didn't mention earlier, and I'm not sure if it is relevant, but the > > computer connects via WiFi to my access point, which is also my network's > > internet gateway -- with an LFS box between it and the cable modem as a > > dedicated firewall. I don't trust the non-free firewall in the AP, > although > > I have left it on. The rest of my network is not to be subject to this > 9pm > > curfew. And I would ideally like connectivity between this machine and > the > > rest of my local network to remain even when the internet is denied to > this > > machine, so I can do remote maintenance when he's not using the machine, > > for example. > > > I have a new suggestion, based on this. > > Do all the filtering on your LFS box. > > Match your kid's machine by MAC address. > > Write two tiny scripts: > > #!/bin/sh > iptables -D FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP > > > #!/bin/sh > iptables -I FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP > > (substituting in the appropriate MAC address for the machine, of > course) > > and run the first one at 9 PM to disable internet access, and > run the second one at 8 AM or whatever to re-enable it. Cron is > your friend. > > The LFS box (and yes that is Linux From Scratch, all my other "real" computers are Debian) sits between my AP (wireless & wired) and the cable modem ie the wilds of the Internet. Used to be that the AP was plugged straight into the cable modem, but about 6 months ago or so I set up this LFS box using an ASUS mini PC, about 10% out of concern for what weaknesses my AP's firewall might have that I didn't and never would know about, and 90% just to see if I could. The WAN port of the AP goes into one interface of the firewall, the other goes to the cable modem. All my computers other than the firewall itself are connected, wired or wireless, to the AP. The wireless card built into the firewall box is disabled. Since the AP is doing NAT, as I believe is normal for such a device that thinks it is the last line of defence between the network and the Internet, I am not sure that the LFS firewall machine will be able to see the MAC addresses of the computers on my LAN. I just tried to do an experiment involving logging in iptables on the firewall, but the logged information doesn't seem to include MAC address so I couldn't check. If in fact, I can expect the firewall to be able to see source computer LAN mac addresses in this configuration, that has all sorts of other positive implications which I would get excited about. I'd just assumed it wouldn't be possible due to the layer of indirection provided by the AP. Mark
