This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
device_filtering [2023/05/24 21:38] – [Block devices via script/scheduler] - Capitalize Scheduler hogwild | device_filtering [2025/03/03 18:09] (current) – [Notes] -condense hogwild | ||
---|---|---|---|
Line 1: | Line 1: | ||
====== Block devices via script/ | ====== Block devices via script/ | ||
- | The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. This is particularly | + | The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times you want to block specific devices via a script. This is especially |
- | | + | \\ |
- | * For a routed environment (single router), you will use // | + | |
+ | | ||
+ | |||
+ | \\ | ||
+ | |||
+ | * For a routed environment (single router), you must use // | ||
\\ | \\ | ||
- | Given a MAC address you want to control, such as: '' | + | Given a MAC address you wish to control, such as: "AA: |
Line 23: | Line 28: | ||
# Flush (unblock all the defined references at once)\\ | # Flush (unblock all the defined references at once)\\ | ||
- | NOTE: you might have additional ebtables in your system so **be very careful** about flushing the full ebtable. | + | NOTE: There might be additional ebtables in your system so **be careful** about flushing the full ebtable. |
===== iptables ===== | ===== iptables ===== | ||
- | # Block Internet access (or any intra-vlan)\\ | + | # Block Internet access (or any intra-vlan):\\ ''/ |
\\ | \\ | ||
- | # Block any network activity, | + | # Block any network activity, |
\\ | \\ | ||
- | # Unblock (reverse) whatever command was issued by replacing " | + | # Unblock (reverse) whatever command was issued by replacing " |
\\ | \\ | ||
- | # Flush\\ | + | # Flush\\ |
\\ | \\ | ||
- | These days, blocking MAC addresses | + | \\ |
+ | |||
+ | These days, many devices use MAC randomization which can make blocking MAC addresses tedious. MAC addresses can " | ||
- | For dealing with this, one alternative | + | To help manage |
\\ | \\ | ||
Line 52: | Line 59: | ||
For example:\\ | For example:\\ | ||
- | # Block\\ | + | # Block:\\ '' |
\\ | \\ | ||
- | # Unblock\\ | + | # Unblock:\\ '' |
\\ | \\ | ||
- | Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts the device or just manually disconnects/ | ||
- | If you were very security conscious, you could trigger a " | + | ===== Notes ===== |
- | For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/ | + | The kernel still resolves the hostname to an IP address. A device with randomized MAC address will obtain a new IP address when reconnecting. This may function well, but only until the user restarts the device or manually disconnects WiFi. |
+ | |||
+ | If you're security conscious, you could trigger a " | ||
+ | |||
+ | For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/ | ||
+ | |||
+ | \\ | ||