just wondering if there was some little specialised linux distro (ipcop, smoothwall style) which would allow me to specify rules for net usage for a IP on my LAN.

for example:

192.168.1.100 - no access to port 80 from 8pm-10pm Mon-Fri
192.168.1.100 - no access to port 21 from 7am-12pm Sat

etc

cheers.

Without me going into details, you could get CRON to perform on/off scripts, at the times you have specified.

Im sure someone else can assist here....

Jason

Why not have a script that runs and enables/disabled various iptable rules via crontab?

It's the easiest way to implement what you want.

i was hoping it had a web based front-end as im a linux n00b...

i'm guessing CRON is a program which runs on a linux distro?

CRON -- yeah... it's a job scheduler than can run various programs at given times.

Play around with a few distros... what you have requested seems pretty basic... (now you have PIPE you can suck down as many Linux distros from a PIPE peer as you like for free!).

BTW -- cron also runs under Windows. ;)

would something like ISA server (yes i know its not linux) be able to handle my inital request?

*shudders and walks away*

Ya on ya own.....

I doubt it though... though I haven't played with it much!

I like http://www.astaro.com/ Their Linux firewall is very very good....

You can pickup a free trial...
It's also free for personal use... perfect for a home DSL gateway.. :D

It has the best web interface of all the Linux firewalls out there. :)

*shudders and walks away*

Ya on ya own.....

I doubt it though... though I haven't played with it much!
only asked as i can get a free legit copy from uni...

and yeah i did a search and saw your post recommending astaro, had a play with their 'demo' frontend..

Squid can do that :-)

You can setup ACLs in the config which allow certain computers to access during a certain time.

If you just make a transparent proxy then users dont even know about it :-)

Squid can do that :-)

You can setup ACLs in the config which allow certain computers to access during a certain time.

If you just make a transparent proxy then users dont even know about it :-)
sounds promising.. :)

and squid is part of?

Squid is a proxy. You can install it on any linux distro.

I think it comes with some 'firewall made' distros like smoothwall - but you may want to check that out first :eek:

lol.. this is sounder harder and harder by the minute....

i think it might just be easier to hide her network cable! :P

Not as fun :-)

Smoothwall comes with a proxy, but it doesn't allow those features unfortunetly.

lol.. this is sounder harder and harder by the minute....

i think it might just be easier to hide her network cable! :P
The text config file is well documented in Squid and there is plenty of documentation available.. .you'l be surpised how easy a SQUID proxy is to setup....

you'l be surpised how easy a SQUID proxy is to setup....
And there's positively heaps of web front ends. I used to use a specialised fw linux distro by mandrake called Multi Network Firewall (successor to the SNF, where S stood for simple, single and small at various stages of its life). It had a web front end to all firewall options including squid config. Its still kicking around I think and worth a look.
I'm currently using squid on a more general linux install but still use the webmin front end occasionally(webmin is a web based administration tool written by an Aussie :) -- and distributed with many linux flavours).
I checked before writing and its time/date based acl is pretty simple.
1. there's a button called create acl, with date and time selectable from a drop down box.
2.Then pick the days of the week and the time of day. Done like a dinner!! :D
all on the web page, no command line in sight.

There seem to be plenty of handy linux people on these forums, so if you get stuck post your configs/errors and we can always help you out.

You'd be amazed at the lengths we'll go to to prevent another disease carrying windows machine polluting the net.
My spam count hovers around 300 emails a day. :mad: Anything to prevent it from growing

Remember too that squid is pretty much for handling http/https traffic only, so is not suitable for restricting ftp traffic between 7am-12pm Sat, or any other non-http protocol for a given criteria. The granularity of control over http is very nice though, besides times/dates you can filter based on url mime types, sizes, domains and IP addresses, authenticated user groups ( ie a school might let anyone authenticating as 'staff' access everything, wheras non-authenticated users can only access some sites ), and more..

If you want a generic way of filtering traffic based on time of day though I think having cron switch in different firewall rulesets to be active in any given period is the easiest way. Theres probably an arcane way to do time-of-day filtering directly via netfilter/iptables ( ever looked at how many kernel modules this incorpates now? what a mess! ), but I prefer to keep the rulesets simple and readable as possible. Or even better, use pf on a *BSD instead :)

Remember too that squid is pretty much for handling http/https traffic only, so is not suitable for restricting ftp traffic between 7am-12pm Sat, or any other non-http protocol for a given criteria.
Squid is fine for ftp. :D
try the following acls

acl myftpacl proto ftp
acl time_acl time M T W H F 9:00-17:00

the http_access rule set can be used for ftp as well like so:

http_access allow time_acl myftpacl

too easy. Squid can be a bit arcane but its worth the effort. It's fast and has so many features other web cache products dont have.
If you have problems getting it going post away, I'm sure we can help you out. :)

my main concerns are

msn messenger
&
http traffic

the rest dont matter

http traffic is obviously covered by squid.
msn only uses port 80 (http port) if its other ports are blocked, so you'll need a firewall rule separate to squid. this can be a pain if the firewall doesnt support time based rules.

you can set msn messenger to use a proxy so the rules would apply in this case, but it can be turned off by someone trying to get it working. :(
There are all kinds of options, but a sneaky way of doing this is to edit your hosts file to point the messenger server to the host with squid on it.

example:
mysquidhost is 192.168.1.6 (squid running port 80 for simplicity)
mywinxphost is 192.168.1.8
add the following entry in the host file of mywinxphost.

192.168.1.6 mysquidhost gateway.messenger.hotmail.com

depends on the age and determination of the person you are blocking as to which choice you make. A fully fledged firewall would obviously block all but port 80 requests for msn messenger, and these can be redirected to squid. The above options would be if you are finding it tough to install a firewall and want only basic filtering.
Squid with the rule I posted earlier (minus the ftp part), plus either a proxy setting in msn im or the host file alteration will do exactly what you want. You can always add cool things later.
:D
If you install squid on a box somewhere, I or some of the other linux gurus on this site can walk you through any config troubles.

cheers kal,

i shall look into this once exams are over in 5-6 days.. :)