This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
device_filtering [2022/11/28 14:32] – created rs232 | device_filtering [2023/05/24 21:38] (current) – [Block devices via script/scheduler] - Capitalize Scheduler hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | ====== |
- | The easiest way to achieve filtering of wireless | + | The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking |
- | For bridged environment (media-bridge/ethernet-bridge/FT-FT-via-ethernet) you will need **ebtables** where for router | + | * For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato |
+ | | ||
+ | \\ | ||
- | Given a mac address you want to control | + | Given a MAC address you want to control, such as: '' |
- | ===== ebtables ===== | ||
- | # Block\\ | + | ===== ebtables |
- | ''/ | + | |
- | # Unblock\\ | + | # Block\\ ''/ |
- | ''/ | + | |
+ | \\ | ||
+ | |||
+ | # Unblock\\ | ||
+ | |||
+ | \\ | ||
+ | |||
+ | # Flush (unblock all the defined references at once)\\ | ||
+ | |||
+ | NOTE: you might have additional ebtables in your system so **be very careful** about flushing the full ebtable. | ||
- | # Flush (unblock all the defined references at once)\\ | ||
- | ''/ | ||
- | NOTE: you might have additional ebtables in your system so be very careful about flushing the full ebtable. | ||
===== iptables ===== | ===== iptables ===== | ||
- | # Block Internet access (or any intra-vlan)\\ | ||
- | ''/ | ||
- | # Block any network | + | # Block Internet access (or any intra-vlan)\\ |
- | ''/ | + | |
+ | \\ | ||
+ | |||
+ | # Block any network | ||
+ | |||
+ | \\ | ||
+ | |||
+ | # Unblock (reverse) whatever command was issued by replacing " | ||
+ | |||
+ | \\ | ||
+ | |||
+ | # Flush\\ | ||
+ | |||
+ | \\ | ||
+ | |||
+ | These days, blocking MAC addresses can be tedious task. Many client devices use a MAC randomization function. MAC addresses can " | ||
+ | |||
+ | For dealing with this, one alternative is to filter using hostnames. | ||
+ | |||
+ | \\ | ||
+ | |||
+ | For example: | ||
+ | |||
+ | # Block\\ | ||
+ | |||
+ | \\ | ||
+ | |||
+ | # Unblock\\ | ||
- | # Unblock just rever whatever command replacinf -I with -D e.g.\\ | + | \\ |
- | ''/ | + | |
- | # Flush\\ | + | Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts |
- | '' | + | |
- | Blocking mac addresses nowadays can be a very tedious task as many end devices have the mac randomisation function enabled. An alternative is to filter using hostnames e.g.\\ | + | If you were very security conscious, you could trigger a " |
- | # Block\\ | + | For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/ |
- | '' | + | |
- | # Unblock\\ | ||
- | '' | ||
- | Still, the hostname is resolved into an IP by the kernel and a device with random mac address will obtain a new IP when reconnecting. Probably good until the user decides to restart the phone or simply disconnect/ |