From owner-freebsd-questions@FreeBSD.ORG Wed May 3 00:12:45 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AB2F16A400 for ; Wed, 3 May 2006 00:12:45 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id A996143D49 for ; Wed, 3 May 2006 00:12:41 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (aris.bedc.ondsl.gr [62.103.39.226]) (authenticated bits=128) by igloo.linux.gr (8.13.6/8.13.6/Debian-1) with ESMTP id k430CLdC017131 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 3 May 2006 03:12:27 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.6/8.13.6) with ESMTP id k430CVDS054791; Wed, 3 May 2006 03:12:31 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.6/8.13.6/Submit) id k430CVRx054790; Wed, 3 May 2006 03:12:31 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 3 May 2006 03:12:31 +0300 From: Giorgos Keramidas To: Bryan Curl Message-ID: <20060503001231.GA53355@gothmog.pc> References: <51257d370605021635x126d6560ueffdba9285d763da@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <51257d370605021635x126d6560ueffdba9285d763da@mail.gmail.com> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.397, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 0.80, BAYES_00 -2.60, DNS_FROM_RFC_ABUSE 0.20) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-questions Subject: Re: ipfirewall tricks X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2006 00:12:46 -0000 On 2006-05-02 17:35, Bryan Curl wrote: > I want to limit time my kids spend on the internet. The way I am > doing it is to make varying, seperate ipf.rules files and install them > from cron at the appropriate time. Sounds like a good plan. > Problem is, if I make a change to one file, I generally have to update > all the others accordingly. Which files? You can use symlinks to your advantage. For example, if you have two sets of rules, named `ipf.conf.allow' and `ipf.conf.block', you can set your `/etc/rc.conf' to reference `/etc/ipf.conf' and then use a cron job or two to symlink to one of the two :-) 00 08 * * * /root/scripts/ipf-allow.sh 00 20 * * * /root/scripts/ipf-block.sh The scripts could be something as simple as: | #!/bin/sh | # | # ipf-allow.sh - Reload IP Filter from /etc/ipf.conf.allow | # | | # If anything goes wrong, fall back to a slightly paranoid ruleset | # that disallows almost *ALL* network access, letting only ICMP, DNS | # and SSH through. | paranoid_rules() { | { echo 'pass in quick on lo0 all' ; | echo 'pass out quick on lo0 all' ; | echo 'pass in quick proto icmp all' ; | echo 'pass out quick proto icmp all' ; | echo 'pass out quick proto udp from any to any port = 53 keep state' ; | echo 'pass out quick proto tcp from any to any port = 53 keep state' ; | echo 'pass in quick proto tcp from any to any port = 22 keep state' ; | echo 'pass out quick proto tcp from any to any port = 22 keep state' ; | echo 'block in all' ; | echo 'block out all' ; | } | ipf -Fa -f - | } | | ipf_allow_rules='/etc/ipf.conf.allow' | ipf_rules='/etc/ipf.conf' | | if test ! -f "${ipf_allow_rules}" ; then | echo >&2 "${ipf_allow_rules}: ruleset missing, blocking (almost) all network access." | paranoid_rules | exit 1 | fi | | /bin/rm -f "${ipf_rules}" && \ | ln -s "${ipf_allow_rules}" "${ipf_rules}" && \ | ipf -Fa -f "${ipf_allow_rules}" | | if test $? -ne 0 ; then | echo >&2 "${ipf_load_rules}: ruleset failed to load, blocking (almost) all network access." | paranoid_rules | exit 1 | fi A similar script for ipf_deny_rules, and you're set. You can even join the two scripts in one and pass the ruleset file to load in the cronjob: 00 08 * * * /root/scripts/ipf-load.sh /etc/ipf.conf.allow 00 20 * * * /root/scripts/ipf-load.sh /etc/ipf.conf.block and then write your script as: | #!/bin/sh | # | # ipf-load.sh - Reload IP Filter from $1 | # | | # If anything goes wrong, fall back to a slightly paranoid ruleset | # that disallows almost *ALL* network access, letting only ICMP, DNS | # and SSH through. | paranoid_rules() { | { echo 'pass in quick on lo0 all' ; | echo 'pass out quick on lo0 all' ; | echo 'pass in quick proto icmp all' ; | echo 'pass out quick proto icmp all' ; | echo 'pass out quick proto udp from any to any port = 53 keep state' ; | echo 'pass out quick proto tcp from any to any port = 53 keep state' ; | echo 'pass in quick proto tcp from any to any port = 22 keep state' ; | echo 'pass out quick proto tcp from any to any port = 22 keep state' ; | echo 'block in all' ; | echo 'block out all' ; | } | ipf -Fa -f - | } | | if test $# -ne 1 ; then | echo >&2 "usage: ipf-load.sh ruleset-path" | paranoid_rules | exit 1 | fi | | ipf_load_rules="$1" | ipf_rules='/etc/ipf.rules' | | if test ! -f "${ipf_load_rules}" ; then | echo >&2 "${ipf_load_rules}: ruleset missing, blocking (almost) all network access." | paranoid_rules | exit 1 | fi | | /bin/rm -f "${ipf_rules}" && \ | ln -s "${ipf_load_rules}" "${ipf_rules}" && \ | ipf -Fa -f "${ipf_load_rules}" | | if test $? -ne 0 ; then | echo >&2 "${ipf_load_rules}: ruleset failed to load, blocking (almost) all network access." | paranoid_rules | exit 1 | fi > Is there a better way? I have read man ipf but didnt come out with any > ideas. Well, the 'best' way is the one you like the most, I guess :)