colorful rat Ratfactor.com > Dave's Repos

pf-bedtime

A pf configuration that enforces bedtime
git clone http://ratfactor.com/repos/pf-bedtime/pf-bedtime.git

pf-bedtime/bedtime

Download raw file: bedtime

1 #!/bin/ksh 2 3 # Note: To make this handier to run, I've soft-linked it to a 4 # path-reachable location: 5 # 6 # ln -s /home/dave/bedtime /usr/local/bin/ 7 # 8 9 # Check for root 10 # ============================================================== 11 12 effective_uid=$(id -u) 13 if [[ $effective_uid -ne 0 ]] 14 then 15 echo "Must be run as root! (Use doas.)" 16 exit 1 17 fi 18 19 # 'enforce' mode - Invoke bedtime to kill connections 20 # ============================================================== 21 if [[ $1 == 'enforce' ]] 22 then 23 echo "Goodnight clocks and goodnight socks." 24 # replace rules at anchor to block traffic 25 pfctl -a bedtime -f - << EOF 26 pass proto tcp from <bedtime_exempt> 27 EOF 28 29 # We have to kill the state for established connections or 30 # streaming services, etc. won't stop. 31 # 32 # Flush the state table entirely (too extreme!) 33 # 34 # pfctl -F state 35 # 36 # Kill states by network (better, but will still kill 37 # connections that were in the bedtime_exempt list) 38 pfctl -k 10.0.0.0/24 39 40 # TODO: figure out match ... label for packets NOT 41 # in self or <bedtime_exempt> and then kill by 42 # label - see man pfctl (the "-k label" option) 43 # well. 44 45 exit 46 fi 47 48 # 'lift' mode - Allow traffic 49 # ============================================================== 50 if [[ $1 == 'lift' ]] 51 then 52 echo "Arise! Awaken!" 53 54 # write the standard rule 55 # (pass from all dhcpd leased addresses) 56 #pass proto tcp from <leased_ips> 57 pfctl -a bedtime -f - << EOF 58 pass all 59 EOF 60 exit 61 fi 62 63 # 'update-table' - Re-load exemptions table from no_bedtime.txt 64 # ============================================================== 65 if [[ $1 == 'update-table' ]] 66 then 67 fname='/home/dave/no_bedtime.txt' 68 echo "Updating 'bedtime_exempt' from $fname..." 69 pfctl -t bedtime_exempt -T replace -f $fname 70 exit 71 fi 72 73 # 'ls' - Display list of <leased_ips> 74 # ============================================================== 75 if [[ $1 == 'ls' ]] 76 then 77 echo "Contents of <leased_ips> table:" 78 pfctl -t leased_ips -T show 79 exit 80 fi 81 82 83 # If none of the above, show useful info about 'bedtime' 84 # ============================================================== 85 LEASED=$(pfctl -t leased_ips -T show | wc -l) 86 echo 87 echo "-----------------------------------------------------" 88 echo "Number of <leased_ips> entries: $LEASED" 89 echo "Use 'bedtime ls' to list leased IPs." 90 echo "See also 'less /var/db/dhcpd.leases'" 91 92 echo 93 echo "<bedtime_exempt> table" 94 echo "To update:" 95 echo " * edit: no_bedtime.txt" 96 echo " * run: bedtime update-table" 97 echo "-----------------------------------------------------" 98 pfctl -t bedtime_exempt -T show 99 echo "-----------------------------------------------------" 100 101 echo 102 echo "Current 'bedtime' anchor rules:" 103 echo "To change:" 104 echo " * bedtime enforce enact bedtime (no internet!)" 105 echo " * bedtime lift stop bedtime (internet back)" 106 echo "-----------------------------------------------------" 107 pfctl -a bedtime -sr 108 echo "-----------------------------------------------------" 109 echo 110 echo "Other commands:" 111 echo " pfctl -sr show pf rules"