Name: Anonymous 2012-09-05 4:53
My how time flies.
So I've been percolating an idea that would keep me off of sites like reddit, 4chan, facebook, the big time wasters, and here's what I came up with.
There are two main objectives to accomplish here:
1) There must be a way to make it so that I cannot change *certain* firewall rules.
2) There should be a way to change other rules for services I'm running and want to bring up/down (apache, ssh, remote deluge, remote DAAP for music, but really just ssh).
Here's what I'm considering:
First, set up a simple firewall box. Debian will do, low power hardware. I have that but don't really want to set it up. Really the only software that needs to be on there would be ssh, iptables, iptables-persistent. I forgot how to set up a transparent firewall where I don't need to worry about DHCP and subnet routing for port forwarding, but get all that working nice and transparent, and then test some rules.
Now there are two crucial configuration challenges that need to be met
1) The enforcement of privileges via file permissions + attributes and sudoers that allows me to manipulate iptables but not defeat the strictures of #2
2) A cron job that (nearly) constantly checks the firewall rules and inserts the blocks to the specified domains.
So, I'm thinking #1 above is going to be enforced via sudoers, and a lack of root access. obviously #2 will run as root through cron and involve a script. It seems at first glance that the easiest way to do this would be to chattr -i the /etc/iptables/rules.v4 file. Then any temporary changes made in a 5 or 1 minute span would be erased when the rules were restored. To mitigate this would be to diff the current rules with the baseline, and add any that are missing (back to rules.v4?) and reload them.
There's another detail here: a malicious user (me) could insert a rule as #1 (well, constantly I suppose, or at least just as the cron removes the change)... fuck that changes everything. I guess you really see the holes in a security program you design yourself.
Ugh that adds some grumpy logic to the diff'ing script. Well, not really. Shit. It's just important that the blocked domains are always added to the first step of the INPUT chain to drop that domain. So, let me run some tests here. I need access to dis.4chan.org but no other domains. reddit and the ilk will be out too. So those are all -I's at the end of the rules file, with the allowed subdomain last.
This is taking too goddamn long, maybe if i just buy an iTampon my problems will be solved.
So I've been percolating an idea that would keep me off of sites like reddit, 4chan, facebook, the big time wasters, and here's what I came up with.
There are two main objectives to accomplish here:
1) There must be a way to make it so that I cannot change *certain* firewall rules.
2) There should be a way to change other rules for services I'm running and want to bring up/down (apache, ssh, remote deluge, remote DAAP for music, but really just ssh).
Here's what I'm considering:
First, set up a simple firewall box. Debian will do, low power hardware. I have that but don't really want to set it up. Really the only software that needs to be on there would be ssh, iptables, iptables-persistent. I forgot how to set up a transparent firewall where I don't need to worry about DHCP and subnet routing for port forwarding, but get all that working nice and transparent, and then test some rules.
Now there are two crucial configuration challenges that need to be met
1) The enforcement of privileges via file permissions + attributes and sudoers that allows me to manipulate iptables but not defeat the strictures of #2
2) A cron job that (nearly) constantly checks the firewall rules and inserts the blocks to the specified domains.
So, I'm thinking #1 above is going to be enforced via sudoers, and a lack of root access. obviously #2 will run as root through cron and involve a script. It seems at first glance that the easiest way to do this would be to chattr -i the /etc/iptables/rules.v4 file. Then any temporary changes made in a 5 or 1 minute span would be erased when the rules were restored. To mitigate this would be to diff the current rules with the baseline, and add any that are missing (back to rules.v4?) and reload them.
There's another detail here: a malicious user (me) could insert a rule as #1 (well, constantly I suppose, or at least just as the cron removes the change)... fuck that changes everything. I guess you really see the holes in a security program you design yourself.
Ugh that adds some grumpy logic to the diff'ing script. Well, not really. Shit. It's just important that the blocked domains are always added to the first step of the INPUT chain to drop that domain. So, let me run some tests here. I need access to dis.4chan.org but no other domains. reddit and the ilk will be out too. So those are all -I's at the end of the rules file, with the allowed subdomain last.
This is taking too goddamn long, maybe if i just buy an iTampon my problems will be solved.