Parental control - session continues after rule applied

I have made firewall rules that allow me to (in theory) limit my kid's access to the internet to some specific times. For example:

config rule
        option name 'Kids-SchoolDayEvening2Midnight'
        option weekdays 'Sun Mon Tue Wed Thu'
        option src 'lan'
        option stop_time '23:59:59'
        option dest 'wan'
        option target 'REJECT'
        list src_mac '***'
        list src_mac '***'
        >>>etc for all kid's devices
        option start_time '21:00:00'

and

config rule
        option name 'Kids-EveryDayMidnight2Morning'
         option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option weekdays 'Mon Tue Wed Thu Fri'
        option start_time '00:00:00'
        list src_mac '***'
        list src_mac '***'
        >>>etc for all kid's devices
        option stop_time '07:15:00'

My son has found that he can continue a session (Usually a Slack chat to his mates) well after the restrictions apply. My guess is that once a session is established there's some tunnel that means the comms don't trigger the MAC based REJECT rule. Is there anything I can do to make the internet stop for him when it's meant to?

I did toy with the idea of shutting down the WAN for an hour at bed-time, using ifup/ifdown from crontab but I believe my ISP has optimisations running and frequent restarts would adverseley affect performance/QoS

The easy solution would be to add a second AP interface (ESSID)/ switch port and to shut those down hard after the cut-off.

Thanks SLH,

Wouldn't that affect everyone, not just the kids - same as my WAN idea?

Long ago I found that I had to reorder rules for this to work and software offloading requires to be off, otherwise once a connection gets established the firewall rules don't break it when your rules trigger. For starters I would check if offloading is off.

2 Likes

Thanks Amteza

OK, I've enabled software offloading - now all I need to do is DuckDuckGo to see what that is/does :wink:

Your son has an already open tcp connection to Slack. In general the firewall rules apply to new connections as they are created. On the command line cat /proc/net/nf_conntrack will show you which connections are listed as already open.

Is your son on WiFi? If so then an option may be to very briefly turn off WiFi and then turn it back on. This will break the existing connection, and the firewall rule will then prevent reconnection.

I would tend to focus on LAN interventions, and leave your WAN connection running.

Another option is the conntrack package

conntrack --flush

will flush the firewall's knowledge of existing connections momentarily.

I am not totally sure if this will run on 21.02, but...

1 Like

echo f > /proc/net/nf_conntrack (OpenWrt specific extension) should have the same effect as conntrack --flush, without the need to install an additional package.

A somewhat more blunt /etc/init.d/firewall restart (not reload) should have a similar effect. All established conntrack session will get flushed.

If you happen to know the current IPv4 addresses of your kids devices you could also selectively flush just their conntrack streams using echo 1.2.3.4 > /proc/net/nf_conntrack, where 1.2.3.4 is the IP address in question.

2 Likes
2 Likes

The idea was to move them on a dedicated 'kids' WLAN, most wireless (radio-) hardware does support 4 concurrent (V)AP interfaces (sharing the same channels, of course). That would allow you to move all restricted devices into the dedicated firewall zone, using a different ESSID/ PSK.

1 Like

I was going to suggest exactly this, but then I tried it and conntrack seemed to know about the previous connections. I don't think this works

What @vgaetera pointed out and is reflected in the Wiki is the way to go. Reordering the rules plus disabling Software Offloading works. This is how it works fine for me. As long as your time-based DROP/REJECT rules are before these ones:

ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED /* !fw3 */

It will work.

2 Likes

As an aside: You just need one firewall rule. It can go from 9pm to 7am, and the firewall will do the right thing even though it crosses midnight.

1 Like