I'm working on setting up a Debian firewall (Shorewall) at my office. So far so good. All the necessary rules are in place, and everything seems to be working great.

However, I've been wanting to block access to some sites during the workday, but open them during lunch hour. For example, I would like to block specific websites around the clock, but open them daily from 12-1pm.

Is there a way to automate this? I'm currently just going in before noon and commenting out those specific rules, and uncommenting them at 1pm.

Current Block Rule:
Cheers.

If you were prepared to push all web accesses through squid, it does have quite extensive access controls and I'm sure (errr, I haven't tried exactly this, but, from memory of squid.conf, the controls are there to exactly this sort of thing and more) it could be achieved.

Squid is a cache program, and so may well reduce your overall bandwidth usage and might even speed things up a little (and even have a positive security impact if all incoming http packets are constrained to come through it), but there is a disadvantage; there is quite a lot of set-up to be done. It isn't really all that difficult, but there is quite a lot of it.

Yeah, as mentioned by salasi, when it comes to filtering access to websites you definitely should do it with a proxy (such as Squid - which comes with this sort of time restriction functionality built-in) instead of with an IP firewall.

That said, what you are trying to do (with Shorewall) could be accomplished by having two text files (one with the config for work and one with the config for lunch) and then have a cron job run at noon and 1PM which does a "cat" into the real config and restarts Shorewall.

Let's say you create files /root/lunch-shorewall-rules.txt and /root/work-shorewall-rules.txt, each with its own relevant set of rules. You also create executable files /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh, each a shell script which cats the proper config and restarts Shorewall. Your crontab entries might look something like:The /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh scripts might look like:Just my .

Yea, I was thinking of setting up a similar cron job, but it was starting to feel more like a hack. I think Squid is definitely the route I should go, after having a look at it's capabilities. It seems a little more built for this type of feature.

I appreciate your responses.

Cheers!

I wasn't sure that you would think that the squid idea was what you wanted, but it does have quite a few advantages.

My tips are:
i) Have a look at squid.conf. As I've already commented, there is quite a lot of it, but 80-90 % is really straightforward so don't let that frighten you.

ii) Out of the even slightly scary bit, most is ACLs and you may not even have to bother with that. (Even if you do want the squid acl feature, you are probably best advised to get it running with acls 'wide open' first and then tighten up).

iii) I'm not sure if the default config works at all with Debian (it certainly didn't with an older version of (k)ubuntu when I tried it). To debug, what you want to do is to run it in the foreground from the command line and look for error messages. To do this, you'll want to be running in a shell logged in as the squid user (usually the problem is a one with access rights to something or another). Its easy if you do it this way, but gets just a little hard if you only guess what's going on though!