Re: Time interval based pf rule
On Fri, Sep 02, 2011 at 05:41:26AM -0700, Stefan N wrote: > Okay guys. Thanks for the suggestion. > > > On 2 September 2011 09:26, Stefan N wrote: > > > > anchors + crontab as Peter suggested is an easy alternative. Depending on what exact effect you want to acheive, you can maybe do it without loading separate ruleset files if you prefer. For example, in your /etc/pf.conf file, something like table { } persist # allow interent surfing pass in on $int_if from to any { block # rules that allow internet surfing here. e.g. pass in proto tcp from any to any port { 80 443 } } And in crontab: 0 9 * * * /sbin/pfctl -Td -t surfers 192.168.1/24 0 17 * * * /sbin/pfctl -Ta -t surfers 192.168.1/24 If your misbehaving users are not all in one netblock, you can create a file and load/delete the addreses in the table from that file. Alternatively, run a squid proxy, force all your users to use it, and implement your time-based filtering there (squid is much better for censorship anyways because you can filter based on domain name or even the full URL rather than just IP addresses)
Re: Time interval based pf rule
Okay guys. Thanks for the suggestion. Regards, Stefan From: Christiano F. Haesbaert To: Stefan N Cc: "misc@openbsd.org" Sent: Friday, September 2, 2011 8:34 PM Subject: Re: Time interval based pf rule On 2 September 2011 09:26, Stefan N wrote: > Actually I would like to limit the access during office hour. > So Time interval base rule means: > user is only allowed to access specific application and destination based > from the time interval. > For example: Finance Department user is only allowed to access facebook > website after office hour (after 6PM onwards) and only on friday. > > If I didn't add the time interval, they can spend their time for browsing and > chatting on facebook instead of working. > What do you mean by "one-hit" rules? > Rules that get destroyed after a first match, but that's not what you want. anchors + crontab as Peter suggested is an easy alternative.
Re: Time interval based pf rule
On 2 September 2011 09:26, Stefan N wrote: > Actually I would like to limit the access during office hour. > So Time interval base rule means: > user is only allowed to access specific application and destination based > from the time interval. > For example: Finance Department user is only allowed to access facebook > website after office hour (after 6PM onwards) and only on friday. > > If I didn't add the time interval, they can spend their time for browsing and > chatting on facebook instead of working. > What do you mean by "one-hit" rules? > Rules that get destroyed after a first match, but that's not what you want. anchors + crontab as Peter suggested is an easy alternative.
Re: Time interval based pf rule
Actually I would like to limit the access during office hour. So Time interval base rule means: user is only allowed to access specific application and destination based from the time interval. For example: Finance Department user is only allowed to access facebook website after office hour (after 6PM onwards) and only on friday. If I didn't add the time interval, they can spend their time for browsing and chatting on facebook instead of working. What do you mean by "one-hit" rules? Regards, Stefan From: Christiano F. Haesbaert To: Stefan N Cc: "misc@openbsd.org" Sent: Friday, September 2, 2011 8:14 PM Subject: Re: Time interval based pf rule On 2 September 2011 09:11, Stefan N wrote: > Hi Jim, > > If I used anchor to create pf rules which means there is another > configuration needs to be taken care. > Beside /etc/pf.conf, we need to take care and maintain crontab for > schedulling. > What are you trying to accomplish with timer based rules ? Recently "one-hit" rules were added, depending on your problem that might solve it.
Re: Time interval based pf rule
On Fri, Sep 02, 2011 at 04:21:31AM -0700, Stefan N wrote: > Does OpenBSD PF engine have the feature to create time interval based rule? > I have tried to do that but I could not find any relevant documentation. > Is time interval based rule supported to be created on OpenBSD PF? the question comes up at intervals, but so far at least the conclusion has been that there are other ways to implement the functionality (cron + anchors and/or rules matching on table membership, etc) and no real need to complicate the pf.conf syntax. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Time interval based pf rule
On 2 September 2011 09:11, Stefan N wrote: > Hi Jim, > > If I used anchor to create pf rules which means there is another > configuration needs to be taken care. > Beside /etc/pf.conf, we need to take care and maintain crontab for > schedulling. > What are you trying to accomplish with timer based rules ? Recently "one-hit" rules were added, depending on your problem that might solve it.
Re: Time interval based pf rule
Hi Jim, If I used anchor to create pf rules which means there is another configuration needs to be taken care. Beside /etc/pf.conf, we need to take care and maintain crontab for schedulling. Regards, Stefan From: James Hartley To: Stefan N Cc: "misc@openbsd.org" Sent: Friday, September 2, 2011 7:47 PM Subject: Re: Time interval based pf rule On Fri, Sep 2, 2011 at 4:21 AM, Stefan N wrote: > Does OpenBSD PF engine have the feature to create time interval based rule? > See how to dynamically add rules via anchors: http://www.openbsd.org/faq/pf/anchors.html ...& scheduling scripts via crontab(5). Jim
Re: Time interval based pf rule
On Fri, Sep 2, 2011 at 4:21 AM, Stefan N wrote: > Does OpenBSD PF engine have the feature to create time interval based rule? > See how to dynamically add rules via anchors: http://www.openbsd.org/faq/pf/anchors.html ...& scheduling scripts via crontab(5). Jim
Re: Time interval based pf rule
On Fri, 2 Sep 2011 04:21:31 -0700 (PDT) Stefan N wrote: > Hi all, > > Does OpenBSD PF engine have the feature to create time interval based rule? What exactly do you mean by time interval based rule. > I have tried to do that but I could not find any relevant documentation. > Is time interval based rule supported to be created on OpenBSD PF? > You've looked at http://www.openbsd.org/faq/pf/index.html and the manpage though, right?