Hey,
I have somewhat similar situation at home.
However, I never found a straight forward setup.
I can do a manual BLOCK OUT with a script, and probably, if I’d link this script
to a cron, I’d get some how setup you are after.
I do depend on dhcpd giving out static IP to a give MAC and thus
I don’t expect kids to take over MACs on the LAN.
They are not there yet :)
Following I have in pf.conf. Script is up to you (or I can share prvtly what I
have).
table <block_out_ext> persist
### block machines out
block out quick on egress tagged BLOCK
pass out quick on egress from <block_out_ext> to any nat-to (egress:0) keep
state \
(max-src-conn 1, max-src-conn-rate 1/1, overload <none_existent_table>
flush global) tag BLOCK
Script adds adresses to <block_out_ext> .
<none_existent_table> - really, as name implies, not defined at all, anywhere
in pf.conf.
Br
Mxb
> 6 juli 2017 kl. 00:19 skrev Stefan Wollny <[email protected]>:
>
> Hi there!
>
> "Security" means to constantly re-evaluate your options and processes -
> right? So the other day I checked the settings in the Fritz!Box router
> and remembered that they had implemented a time quota for a defined
> group of users (=IPs).
>
> Example: My young son has a tablet and a mobile phone (both Android) and
> has access to the internet with any device within a defined time frame
> and an overall maximum of x hours, individually set for each day of the
> week. In the rare cases that he needs more time he uses the joker named
> "Mama" ... ;-) (Side note: Just like pocket money the allowed time is
> regularly revised for age and experience - not behaviour!)
>
> Consider other situations where you'd like to meet your responsibilities:
> - There may be usual office times from 06:30 am to 21:00 pm (some people
> like to work early, other late): Outside of this time frame access to
> the internet may not be acceptable (with rare exections) - or might mean
> that a machine is hijacked to be a part of a bot or to do some bitcoin
> calculations... whatever.
> - Within this time frame noone is legally permitted to work longer than
> 8 hours based on his login credentials to the office net (not device).
> - Just some specified servers do backups to the cloud and e.g. are
> granted access the internet exclusively at night time (thus being
> exceptions to the general rule above).
> - The web and mail servers are seperate to the office net and always-on.
>
> The technical quest is in principal the same as the one I described
> above. Simply spoken: If noone of the 'guys and gals' responsible for
> safe and smooth operations is around the internet is turned off (or s/he
> gets paid overtime hours :-)).
>
> Can s.th. like this set up with OpenBSD being the central router? I
> searched the FAQ and several man-pages but didn't get an idea of how to
> proceed. My very first idea (=dream) was "e.g. set the general time
> frame with PF" and "the individual quotas or access times within
> anchors". Unfortunately nothing appropriate was found by the "leading"
> internet search engine.
>
> If someone has found a solution to such a task it would be great to get
> to know how this was achieved, of course with OpenBSD.
>
> Please: I am just curious and interested to learn about my (realistic)
> options.
>
> TIA.
>
> Best,
> STEFAN
>
