Time based ACL (access control lists) features do not exist in BSD’s packet filter (PF). Having your network “shut down” at certain times (for instance, allow certain network ranges or specific IP addresses only during “business hours” or a specific time range), can be achieved with a simple PF table and a cronjob.
First, let’s set up the PF table which will control the traffic. Add the following to your /etc/pf.conf :
# add time block table
table <time_block> { } persist
Next, create a PF rule which block traffic for all entries in the time_block table:
# block all CIDR addresses in the time block table block in quick log from <time_block> to any
Since the time_block table is still empty, no traffic is actually blocked.
The last thing to implement, is periodically manipulating the time_block table. This could be done by creating two cronjobs:
- allow traffic at the beginning of “business hours”
- block traffic at the end of “business hours”
crontab -e # Allow traffic 0 7 * * * /usr/local/scripts/allow_employees.sh > /dev/null 2>&1 # Block traffic 0 17 * * * /usr/local/scripts/block_employees.sh > /dev/null 2>&1
The allow_employees.sh script will allow certain network ranges by ensuring those are removed from the time_block table:
#!/bin/sh /sbin/pfctl -Td -t time_block 10.1.0.0/24 /sbin/pfctl -Td -t time_block 10.2.0.0/24
The block_employees.sh script will do the exact opposite: it will add ranges to the time_block table so that their network access will be blocked by the firewall:
#!/bin/sh /sbin/pfctl -Ta -t time_block 10.1.0.0/24 /sbin/pfctl -Ta -t time_block 10.2.0.0/24
Finally deploy your new PF rules (first test them!)
pfctl -nf /etc/pf.conf pfctl -f /etc/pf.conf