On Fri 05 Aug 2016 at 20:02:58 +0100, Brian wrote: > On Fri 05 Aug 2016 at 13:48:54 -0400, Dan Ritter wrote: > > > I have a new suggestion, based on this. > > > > Do all the filtering on your LFS box. > > > > Match your kid's machine by MAC address. > > > > Write two tiny scripts: > > > > #!/bin/sh > > iptables -D FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP > > > > > > #!/bin/sh > > iptables -I FORWARD -m mac --mac-source 58:63:1a:af:71:72 -j DROP > > > > (substituting in the appropriate MAC address for the machine, of > > course) > > > > and run the first one at 9 PM to disable internet access, and > > run the second one at 8 AM or whatever to re-enable it. Cron is > > your friend. > > For this particular situation (LFS=Linux From Scratch?) this does appear > to be the easiest (less work) and most obvious solution.
But not foolproof. As was said earlier > If I leave a hole in this that can be exploited without strong > > technical skills, I'm confident he'll find it... Wicd and network-manager are popular, so one of them could be on the system. Someone in possession of a USB wireless adapter can plug it in or use it to replace the existing one. Either of the softwares can be used to configure the new interface. This interface has a MAC address unknown to the LFS box. The interface name can be found with 'ip link' so a default route can still be controlled. No wicd and network-manager on the machine? No problem; a USB stick with Debian on it and a reboot solves that. Plus it could be used for MAC spoofing. :)
