Hi all

I have two sons who abuse the internet. Myself and my daughter should have permenta access to the internet. I have deleted all acounts of my sons on the many computers we use exept on theit machines, wihich includes handies, tablets etc.

I do not want to go into a good / bad parental discussion here. My scope is to cut them off the internet for good, while they still can access local intranet infrastructure. I would like to give them a certain time say from 16:30 to 18:30, where the can use the internet and I am home, so I can check on their (ab)use of the internet.

We have opensuse leap 15.0 machines throughout. My firewall is based on firewalld. For the time being we have just two zones, external and internal. I do have a dns and dhcp server running. My best guess is to use rules like this :

==========================================================
iptables -N blocked_access
iptables -A blocked_access -m mac ! --mac-source xx:xx:xx:xx:xx:xx -j RETURN
iptables -A blocked_access -m time --timestart 20:00 --timestop 22:00 --weekdays Sun,Mon,Tue,Wed,Thu --syn -j ACCEPT
iptables -A blocked_access -j DROP
===========================================================

Which I found here https://www.linuxquestions.org/quest...ddress-787456/

The example above is based on iptables. I would like to use firewalld though. I could not find a single reference to a similar exmpla.

Can anyone help?

Greez
chris

why don't you specify static ip addresses?
You may also want to check pi-hole, which will filter sites.

Hi and thanks for your reply. Allow a few questions though:

What do I gain from static ip's? Especially looking at the time window. I believe, I will have a lot of configuration work ahead and probably increased maintenance efforts. I might be able to set fixed ip's in the dhcp server though. but still: what is the benefit of it and how do static ips with some additionla steps solve my problem?

The hint to pi hole is great! So big fat thanks for it. However I cannot see, how I can block the devices of my sons for a defined period and still allowing my daughter and myself unlimited access.

Greez
chris

Found here by searching for firewalld block mac address firewalld.org looks to have all the documentation and a couple of fora.

I'm not quickly finding anything about time windows, tho. Perhaps a cron job to open open/close the firewall for the mac addresses at desired times? Just an idea.

scasey
Thanks for the valuable input. I will try the cron job idea, I think it is great! I'll report back, as I believe I am not alone with my problem.
Greez
chris

How about the "direct" directive as referenced here. The links included point to firewalld.org/documentation/direct/ and man-pages/firewalld.direct.

I am not my place at the time of writing. I will try this:

Could this work?

Greez
chris

Hi all

While trying to set up the filters proposed, I had off course to collect the various mac addresses of my sons devices. I don't know but that opened another box. There are 2 iphones and 2 androids. These devices seem to change their mac addresses. Researching the cause, I found this. Thus my approach is rendered useless at least for the devices that sport the "randomize-mac-address-feature".
I thought I was back on field one, but maybe might still be really set to field one I guess:

Tracking the macs and their IP's revealed that interestingly enough, the devices got the same IP as they had on last dhcp request. If that was sound, I could use IP-adresses instead of macs. Using a dchpserver, that cannot be steady. So I guess I am really back on field one.

How to proceed from here?

Greez
chris[/QUOTE]

Hi all

Leaving the issue with the mobile devices aside (for now), I tried to block the laptops as follows:

The laptops can be connected through lan and/or Wlan.

On my gateway I have
Zone external eth1
Zone home eth0

If anymore info is required, kindly ask.

Excerpts of home.xml:
after , I went to son2's laptop and cols surf the internet as if nothing was done to block it.

I checked the logs:
So firewalld configured iptables. But no blocking takes effect?

The log says, the rules are in force.

What's wrong that the blocking is not in effect?
I would really appreciate help.

greez chris

Hi all
I'm giving this up. It just does not work using firewalld.
Greez
chris

iOS 12 has a new feature, Screen Time, that allows management of on-line time and which apps are allowed...I think. Haven't dug into it. Don't need it here. Might help you tho.

Don't know if Android has a similar tool.

Sean
Thanks for the hint. I'll check the iphone of my younger son for that feature.
The trouble is, I now need to run at several devices, where I could have done it at my gatway / firewall only. I did love that concept much more than buing/configuring stuff on currently 4 different platforms. Really a pita, it does not work as planned using firewalld.
I am giving a try using a raspberry and iptables. But that is another topic and thread then.
Greez
chris

PS: I am sure though, I am not the only one with this problem. So where are the other "victims"?