Oliver Bode wrote: > Hi, > > I have an openbsd firewall on my home network. > > My daughter has become addicted to msn and I've spoken to her about > restricting the time she spends on it. > > What I want to do is only allow her access to msn for say 1 or 2 hours a > day and enforce this on the firewall as well. > > I can block access to msn on the firewall but I'm not sure of the best > approach to enforce the time limit. > > I'm thinking I could write a scripts run by cron every minute to > calculate if her time is up but I think this is a bit messy. Is there a > better approach?
Hm. Well...sounds like trying to use technology to substitute for management, which is not something I agree with. (yeah, I have no kids, so its easy for me to talk about high ideals when it comes to raising other people's kids. :) HOWEVER, it is an interesting puzzle (which is something I enjoy)... I'm assuming you want to allow her a "X amount of time per day", not "access from X:XXpm to Y:YYpm every day". If the later is what you want, it's trivial: two PF scripts, two cron jobs, one is loaded at the start of the unrestricted time, the other at the end of the unrestricted time. The default ruleset should be "restricted", that way, you don't have "accidental" bumping of the gateway's power switch... (Alternatively, use a table, and load/delete user's workstations). Assuming you want to limit time-per-day, but don't care when, how about this: Use authpf to control and track usage. In order for the user to actually get access to the "regulated" sites, they must first state their intention by running authpf to open access to that site. Every minute, a cron job looks for running authpf processes, and if found, logs a line to a file. If that file gets to 60, 90, 120, whatever lines long, the same cron job will add the user's name to the /etc/authpf/banned directory, and killing the existing authpf session. (note: grepping the output of "ps -ax" is a starting point...but remember: sometimes the you will pick up the grep line itself in ps...) Some time absurdly early in the morning, another cron job would clear the "log" files for all users and all the /etc/authpf/banned/ files. Variation: instead of running the cron job every minute, run it every five minutes. Maybe she'll figure out how to write a program which will anticpate the check, drop the authpf session, and start it back up ten seconds later. Sure, it defeats the purpose, but it would be far more educational..you have taught her to program, and made her think it was her idea (I'm remembering my dad's statement: "A parent's job is to get the kids out of the house and make them think it was their idea". BTW: his other solution to every child-raising problems was the expression, "Get a job!", which we started hearing about age five.). The one-minute time interval is probably too fast for that, though if you really want to keep that from happening, don't run ntpd on the firewall. :) Nick. (who should really work out a "no more than an hour a day on misc@" control for himself)
