FreshTomato Wiki

User Tools

Site Tools

Trace:
device_filtering

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
device_filtering [2023/05/24 21:38] – [Block devices via script/scheduler] - Capitalize Scheduler hogwilddevice_filtering [2025/03/03 18:09] (current) – [Notes] -condense hogwild
Line 1: Line 1:
 ====== Block devices via script/Scheduler ====== ====== Block devices via script/Scheduler ======
  
-The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times when you want to block specific devices via a script. This is particularly true when you need to manage device blocking for a lot of devices. Scripting also allows you to schedule blocking/filtering on or off, as needed.+The easiest way to filter WiFi devices is to use the [[basic-wfilter|Wireless Filter]] menu. However, there are times you want to block specific devices via a script. This is especially true when you need to manage device blocking for many devices. Scripting also lets you schedule blocking/filtering on or off, as needed.
  
-  * For a bridged environment (Media-bridge/Ethernet-bridge/FreshTomato-FreshTomato via Ethernet) you will need //ebtables.// + \\ 
-  * For a routed environment (single router), you will use //iptables//.+ 
 +  * For a bridged environment (Media Bridge mode, \\ Ethernet Bridge mode or switched LAN) you use //ebtables.// 
 + 
 + \\ 
 + 
 +  * For a routed environment (single router), you must use //iptables//.
  
  \\  \\
  
-Given a MAC address you want to control, such as: ''AA:BB:CC:DD:EE:FF'' you can filter in two ways:+Given a MAC address you wish to control, such as: "AA:BB:CC:DD:EE:FFyou can filter in two ways:
  
  
Line 23: Line 28:
 # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\ # Flush (unblock all the defined references at once)\\  ''/usr/sbin/ebtables -F''\\  \\
  
- NOTE: you might have additional ebtables in your system so **be very careful** about flushing the full ebtable.+NOTE: There might be additional ebtables in your system so **be careful** about flushing the full ebtable.
  
  
 ===== iptables ===== ===== iptables =====
  
-# Block Internet access (or any intra-vlan)\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source AA:BB:DD:EE:FF -j DROP''+# Block Internet access (or any intra-vlan):\\  ''/sbin/iptables -I **FORWARD** -m mac --mac-source AA:BB:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Block any network activity, including services provided by the router (e.g. minidlna/webserver/mysql)\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''+# Block any network activity, even services provided by the router (minidlna/webserver):\\  ''/sbin/iptables -I **INPUT** -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Unblock (reverse) whatever command was issued by replacing "-I" with "-D" :\\  ''/sbin/iptables -D FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''+# Unblock (reverse) whatever command was issued by replacing "-I" with "-D":\\  ''/sbin/iptables -D FORWARD -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP''
  
  \\  \\
  
-# Flush\\  ''You don't do that for iptables '':-)'' instead, reboot the device''+# Flush\\  You don't do that for iptables. Reboot the device instead.
  
  \\  \\
  
-These days, blocking MAC addresses can  be tedious task. Many client devices use a MAC randomization function. MAC addresses can "change" freqeently.+ \\ 
 + 
 +These days, many devices use MAC randomization which can make blocking MAC addresses tedious. MAC addresses can "change" frequently.
  
-For dealing with this, one alternative is to filter using hostnames.+To help manage this, one option is to filter using hostnames.
  
  \\  \\
Line 52: Line 59:
 For example:\\ For example:\\
  
-# Block\\  ''iptables -I FORWARD -s iphone-julie -j DROP''+# Block:\\  ''iptables -I FORWARD -s iphone-julie -j DROP''
  
  \\  \\
  
-# Unblock\\  ''iptables -D FORWARD -s iphone-julie -j DROP''+# Unblock:\\  ''iptables -D FORWARD -s iphone-julie -j DROP''
  
  \\  \\
  
-Still, the hostname is resolved into an IP address by the kernel. A device with a randomized MAC address will obtain a new IP address when reconnecting. This might function well, but only until the user restarts the device or just manually disconnects/reconnects WiFi. 
  
-If you were very security conscious, you could trigger a "service wireless restart" for each new client connecting, but that would be disruptive to the network in general.+===== Notes =====
  
-For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For more details about this approach, see this HOWTO: [[toggle_radio|Turning on/off radio elements from script]].+The kernel still resolves the hostname to an IP address. A device with randomized MAC address will obtain a new IP address when reconnecting. This may function well, but only until the user restarts the device or manually disconnects WiFi. 
 + 
 +If you're security conscious, you could trigger a "service wireless restart" for each new client connecting, but that would be disruptive to the general network. 
 + 
 +For WiFi devices, perhaps the best way to limit access is to make them connect to a dedicated SSID, and enable/disable that SSID as needed. For details about this approach, see the HOWTO: [[toggle_radio|Turning on/off radio elements from script]]. 
 + 
 + \\
  
  
device_filtering.1684960708.txt.gz · Last modified: 2023/05/24 21:38 by hogwild

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki