Restrict based on time of day

Restrict based on time of day

[Gary W. Smith]

Hello, 

I was asked today by a client if we can configure the firewall to
restrict outgoing traffic between certain time frames from certain IP's.
Basically they have had issues with people using the system in
appropriately after hours.  We have policy restrictions in place that
prevent people from logging into the domain after hours but they have
their own laptops which causes a problem.

We have a set of servers that will need access so we don't want to block
everything.  The network is segmented into two subnets, one for servers
and the other for workstations.  We just want to block the workstations
from going out.

Is there a module for doing this?

Gary Smith

Re: Restrict based on time of day

[Grant Taylor]

> I was asked today by a client if we can configure the firewall to
> restrict outgoing traffic between certain time frames from certain IP's.
> Basically they have had issues with people using the system in
> appropriately after hours.  We have policy restrictions in place that
> prevent people from logging into the domain after hours but they have
> their own laptops which causes a problem.

Gary, this could easily be done with the IPTables "Time" match.  Take a look at "http://www.netfilter.org/projects/patch-o-matic/pom-base.html#pom-base-time", I think you will find it very interesting and help full.



Grant. . . .

RE: Restrict based on time of day

[Gary W. Smith]

Does this one require a kernel recompile or can you link it externally?

> -----Original Message-----
> From: Grant Taylor [mailto:gtaylor@riverviewtech.net]
> Sent: Saturday, April 15, 2006 10:52 AM
> To: Gary W. Smith
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Restrict based on time of day
> 
> > I was asked today by a client if we can configure the firewall to
> > restrict outgoing traffic between certain time frames from certain
IP's.
> > Basically they have had issues with people using the system in
> > appropriately after hours.  We have policy restrictions in place
that
> > prevent people from logging into the domain after hours but they
have
> > their own laptops which causes a problem.
> 
> Gary, this could easily be done with the IPTables "Time" match.  Take
a
> look at "http://www.netfilter.org/projects/patch-o-matic/pom-
> base.html#pom-base-time", I think you will find it very interesting
and
> help full.
> 
> 
> 
> Grant. . . .

Re: Restrict based on time of day

[Grant Taylor]

> Does this one require a kernel recompile or can you link it externally?

Well, I always recompile my kernel.  I suppose you could compile it in as a module.  That is if there are not other internal structures that change when you introduce the new feature.  Are you opposed to recompiling the kernel?  If so, can I ask why?




Grant. . . .

RE: Restrict based on time of day

[Gary W. Smith]

I also recompile the kernel on many of my boxes but this isn't my box
nor my configuration and I don't want to break anything in their
environment at this time.

Overall, I'm just gathering information for them so I can propose their
options.

> -----Original Message-----
> From: Grant Taylor [mailto:gtaylor@riverviewtech.net]
> Sent: Sunday, April 16, 2006 8:21 PM
> To: Gary W. Smith
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Restrict based on time of day
> 
> > Does this one require a kernel recompile or can you link it
externally?
> 
> Well, I always recompile my kernel.  I suppose you could compile it in
as
> a module.  That is if there are not other internal structures that
change
> when you introduce the new feature.  Are you opposed to recompiling
the
> kernel?  If so, can I ask why?
> 
> 
> 
> 
> Grant. . . .