On 2017-07-06, Maxim Bourmistrov <[email protected]> wrote: > > Hey, > I have somewhat similar situation at home. > However, I never found a straight forward setup. > > I can do a manual BLOCK OUT with a script, and probably, if I’d link this > script > to a cron, I’d get some how setup you are after. > > I do depend on dhcpd giving out static IP to a give MAC and thus > I don’t expect kids to take over MACs on the LAN. > They are not there yet :)
By doing something like this you encourage them (not that this is a bad thing :-) Lack of access to internet is quite motivating. Of course they don't need to take over a MAC, just set a static address. Putting them on a separate vlan (or completely separate switch) is another way. > Following I have in pf.conf. Script is up to you (or I can share prvtly what > I have). > > table <block_out_ext> persist > > ### block machines out > block out quick on egress tagged BLOCK > pass out quick on egress from <block_out_ext> to any nat-to (egress:0) keep > state \ > (max-src-conn 1, max-src-conn-rate 1/1, overload > <none_existent_table> flush global) tag BLOCK > > > Script adds adresses to <block_out_ext> . ><none_existent_table> - really, as name implies, not defined at all, anywhere >in pf.conf. Ha, overload - that's a cunning trick to avoid using "pfctl -k" :)
