On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote:
> Okay guys. Thanks for the suggestion.
>
> > On 2 September 2011 09:26, Stefan N <stefanbsd...@yahoo.com> wrote:
> >
> > anchors + crontab as Peter suggested is an easy alternative.
Depending on what exact effect you want to acheive, you can maybe do it
without loading separate ruleset files if you prefer.
For example, in your /etc/pf.conf file, something like
table <surfers> { } persist
# allow interent surfing
pass in on $int_if from <surfers> to any {
block
# rules that allow internet surfing here. e.g.
pass in proto tcp from any to any port { 80 443 }
}
And in crontab:
0 9 * * * /sbin/pfctl -Td -t surfers 192.168.1/24
0 17 * * * /sbin/pfctl -Ta -t surfers 192.168.1/24
If your misbehaving users are not all in one netblock, you can create a
file and load/delete the addreses in the table from that file.
Alternatively, run a squid proxy, force all your users to use it, and
implement your time-based filtering there (squid is much better for
censorship anyways because you can filter based on domain name or even
the full URL rather than just IP addresses)
