LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-13-2007, 10:20 AM   #1
Gavin Vickery
LQ Newbie
 
Registered: Sep 2007
Posts: 2

Rep: Reputation: 0
Shorewall Scheduling


I'm working on setting up a Debian firewall (Shorewall) at my office. So far so good. All the necessary rules are in place, and everything seems to be working great.

However, I've been wanting to block access to some sites during the workday, but open them during lunch hour. For example, I would like to block specific websites around the clock, but open them daily from 12-1pm.

Is there a way to automate this? I'm currently just going in before noon and commenting out those specific rules, and uncommenting them at 1pm.

Current Block Rule:
Code:
REJECT  loc  net:XXX.XXX.XXX.XXX  tcp  www,http
Cheers.
 
Old 09-13-2007, 02:33 PM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,887

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
If you were prepared to push all web accesses through squid, it does have quite extensive access controls and I'm sure (errr, I haven't tried exactly this, but, from memory of squid.conf, the controls are there to exactly this sort of thing and more) it could be achieved.

Squid is a cache program, and so may well reduce your overall bandwidth usage and might even speed things up a little (and even have a positive security impact if all incoming http packets are constrained to come through it), but there is a disadvantage; there is quite a lot of set-up to be done. It isn't really all that difficult, but there is quite a lot of it.
 
Old 09-13-2007, 08:25 PM   #3
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Yeah, as mentioned by salasi, when it comes to filtering access to websites you definitely should do it with a proxy (such as Squid - which comes with this sort of time restriction functionality built-in) instead of with an IP firewall.

That said, what you are trying to do (with Shorewall) could be accomplished by having two text files (one with the config for work and one with the config for lunch) and then have a cron job run at noon and 1PM which does a "cat" into the real config and restarts Shorewall.

Let's say you create files /root/lunch-shorewall-rules.txt and /root/work-shorewall-rules.txt, each with its own relevant set of rules. You also create executable files /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh, each a shell script which cats the proper config and restarts Shorewall. Your crontab entries might look something like:
Code:
# Setup Shorewall for lunch time at noon every day:
0 12 * * * /root/lunch-shorewall-setup.sh 1> /dev/null

# Lunch time is over at 1PM every day:
0 13 * * * /root/work-shorewall-setup.sh 1> /dev/null
The /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh scripts might look like:
Code:
#!/bin/sh
cat /root/lunch-shorewall-rules.txt > /etc/shorewall/rules && shorewall restart
Code:
#!/bin/sh
cat /root/work-shorewall-rules.txt > /etc/shorewall/rules && shorewall restart
Just my .

Last edited by win32sux; 09-13-2007 at 08:32 PM.
 
Old 09-14-2007, 06:09 AM   #4
Gavin Vickery
LQ Newbie
 
Registered: Sep 2007
Posts: 2

Original Poster
Rep: Reputation: 0
Yea, I was thinking of setting up a similar cron job, but it was starting to feel more like a hack. I think Squid is definitely the route I should go, after having a look at it's capabilities. It seems a little more built for this type of feature.

I appreciate your responses.

Cheers!
 
Old 09-15-2007, 05:17 AM   #5
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,887

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
I wasn't sure that you would think that the squid idea was what you wanted, but it does have quite a few advantages.

My tips are:
i) Have a look at squid.conf. As I've already commented, there is quite a lot of it, but 80-90 % is really straightforward so don't let that frighten you.

ii) Out of the even slightly scary bit, most is ACLs and you may not even have to bother with that. (Even if you do want the squid acl feature, you are probably best advised to get it running with acls 'wide open' first and then tighten up).

iii) I'm not sure if the default config works at all with Debian (it certainly didn't with an older version of (k)ubuntu when I tried it). To debug, what you want to do is to run it in the foreground from the command line and look for error messages. To do this, you'll want to be running in a shell logged in as the squid user (usually the problem is a one with access rights to something or another). Its easy if you do it this way, but gets just a little hard if you only guess what's going on though!
 
  


Reply

Tags
automate, schedule, shorewall


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Scheduling sleepykit Mandriva 4 02-24-2007 09:01 PM
shorewall config question with /etc/shorewall/rules peter72 Linux - Networking 3 01-01-2007 09:33 PM
thread scheduling vkmgeek Programming 2 08-21-2006 10:29 AM
Scheduling in Linux asurya Linux - General 5 08-31-2005 08:34 AM
scheduling again nautilus_1987 Linux - Software 2 07-04-2003 07:53 AM


All times are GMT -5. The time now is 09:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration