Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
09-13-2007, 10:20 AM
|
#1
|
LQ Newbie
Registered: Sep 2007
Posts: 2
Rep:
|
Shorewall Scheduling
I'm working on setting up a Debian firewall (Shorewall) at my office. So far so good. All the necessary rules are in place, and everything seems to be working great.
However, I've been wanting to block access to some sites during the workday, but open them during lunch hour. For example, I would like to block specific websites around the clock, but open them daily from 12-1pm.
Is there a way to automate this? I'm currently just going in before noon and commenting out those specific rules, and uncommenting them at 1pm.
Current Block Rule:
Code:
REJECT loc net:XXX.XXX.XXX.XXX tcp www,http
Cheers.
|
|
|
09-13-2007, 02:33 PM
|
#2
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
If you were prepared to push all web accesses through squid, it does have quite extensive access controls and I'm sure (errr, I haven't tried exactly this, but, from memory of squid.conf, the controls are there to exactly this sort of thing and more) it could be achieved.
Squid is a cache program, and so may well reduce your overall bandwidth usage and might even speed things up a little (and even have a positive security impact if all incoming http packets are constrained to come through it), but there is a disadvantage; there is quite a lot of set-up to be done. It isn't really all that difficult, but there is quite a lot of it.
|
|
|
09-13-2007, 08:25 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Yeah, as mentioned by salasi, when it comes to filtering access to websites you definitely should do it with a proxy (such as Squid - which comes with this sort of time restriction functionality built-in) instead of with an IP firewall.
That said, what you are trying to do (with Shorewall) could be accomplished by having two text files (one with the config for work and one with the config for lunch) and then have a cron job run at noon and 1PM which does a "cat" into the real config and restarts Shorewall.
Let's say you create files /root/lunch-shorewall-rules.txt and /root/work-shorewall-rules.txt, each with its own relevant set of rules. You also create executable files /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh, each a shell script which cats the proper config and restarts Shorewall. Your crontab entries might look something like:
Code:
# Setup Shorewall for lunch time at noon every day:
0 12 * * * /root/lunch-shorewall-setup.sh 1> /dev/null
# Lunch time is over at 1PM every day:
0 13 * * * /root/work-shorewall-setup.sh 1> /dev/null
The /root/lunch-shorewall-setup.sh and /root/work-shorewall-setup.sh scripts might look like:
Code:
#!/bin/sh
cat /root/lunch-shorewall-rules.txt > /etc/shorewall/rules && shorewall restart
Code:
#!/bin/sh
cat /root/work-shorewall-rules.txt > /etc/shorewall/rules && shorewall restart
Just my .
Last edited by win32sux; 09-13-2007 at 08:32 PM.
|
|
|
09-14-2007, 06:09 AM
|
#4
|
LQ Newbie
Registered: Sep 2007
Posts: 2
Original Poster
Rep:
|
Yea, I was thinking of setting up a similar cron job, but it was starting to feel more like a hack. I think Squid is definitely the route I should go, after having a look at it's capabilities. It seems a little more built for this type of feature.
I appreciate your responses.
Cheers!
|
|
|
09-15-2007, 05:17 AM
|
#5
|
Senior Member
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,070
|
I wasn't sure that you would think that the squid idea was what you wanted, but it does have quite a few advantages.
My tips are:
i) Have a look at squid.conf. As I've already commented, there is quite a lot of it, but 80-90 % is really straightforward so don't let that frighten you.
ii) Out of the even slightly scary bit, most is ACLs and you may not even have to bother with that. (Even if you do want the squid acl feature, you are probably best advised to get it running with acls 'wide open' first and then tighten up).
iii) I'm not sure if the default config works at all with Debian (it certainly didn't with an older version of (k)ubuntu when I tried it). To debug, what you want to do is to run it in the foreground from the command line and look for error messages. To do this, you'll want to be running in a shell logged in as the squid user (usually the problem is a one with access rights to something or another). Its easy if you do it this way, but gets just a little hard if you only guess what's going on though!
|
|
|
All times are GMT -5. The time now is 02:24 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|