Hi there! "Security" means to constantly re-evaluate your options and processes - right? So the other day I checked the settings in the Fritz!Box router and remembered that they had implemented a time quota for a defined group of users (=IPs).
Example: My young son has a tablet and a mobile phone (both Android) and has access to the internet with any device within a defined time frame and an overall maximum of x hours, individually set for each day of the week. In the rare cases that he needs more time he uses the joker named "Mama" ... ;-) (Side note: Just like pocket money the allowed time is regularly revised for age and experience - not behaviour!) Consider other situations where you'd like to meet your responsibilities: - There may be usual office times from 06:30 am to 21:00 pm (some people like to work early, other late): Outside of this time frame access to the internet may not be acceptable (with rare exections) - or might mean that a machine is hijacked to be a part of a bot or to do some bitcoin calculations... whatever. - Within this time frame noone is legally permitted to work longer than 8 hours based on his login credentials to the office net (not device). - Just some specified servers do backups to the cloud and e.g. are granted access the internet exclusively at night time (thus being exceptions to the general rule above). - The web and mail servers are seperate to the office net and always-on. The technical quest is in principal the same as the one I described above. Simply spoken: If noone of the 'guys and gals' responsible for safe and smooth operations is around the internet is turned off (or s/he gets paid overtime hours :-)). Can s.th. like this set up with OpenBSD being the central router? I searched the FAQ and several man-pages but didn't get an idea of how to proceed. My very first idea (=dream) was "e.g. set the general time frame with PF" and "the individual quotas or access times within anchors". Unfortunately nothing appropriate was found by the "leading" internet search engine. If someone has found a solution to such a task it would be great to get to know how this was achieved, of course with OpenBSD. Please: I am just curious and interested to learn about my (realistic) options. TIA. Best, STEFAN
