HN
Today

My home network observes bedtime with OpenBSD and pf

This post dives deep into configuring OpenBSD's pf firewall to enforce a 'bedtime' internet cutoff for a home network. It showcases a highly granular, technical solution to a common household challenge, appealing to those who appreciate robust, DIY system administration. The author details using dynamic IP tables, rule anchors, and state table manipulation to achieve precise control over device access.

22
Score
2
Comments
#9
Highest Rank
5h
on Front Page
First Seen
Mar 26, 3:00 PM
Last Seen
Mar 26, 7:00 PM
Rank Over Time
111091312

The Lowdown

The author, an OpenBSD enthusiast, details how they constructed a home network gateway using OpenBSD and its pf packet filter to enforce internet 'bedtime' rules for devices. This setup leverages pf's powerful capabilities to dynamically control network access, ensuring that only specific, exempt devices remain online during designated hours, a practical application for managing family screen time.

  • Core pf philosophy: The system defaults to block all traffic, then selectively pass approved connections, ensuring a secure baseline.
  • Dynamic Rule Switching: Two primary rulesets are used: a 'daytime' rule allowing all <leased_ips> and a 'bedtime' rule restricting access to only <bedtime_exempt> IPs.
  • IP Address Tables: <leased_ips> is automatically populated by dhcpd for all active devices, while <bedtime_exempt> is a manually maintained list of devices allowed during bedtime, loaded via pfctl.
  • Protocol Handling: Initial setup primarily focuses on TCP, with UDP/ICMP handled strictly, though the author notes real-world adjustments were needed for applications like Discord and Roblox.
  • Anchor-based Rule Management: pf anchors are used to dynamically swap entire sets of firewall rules on the fly without requiring a full pf reload, crucial for seamless bedtime transitions.
  • Killing Active Connections: A significant challenge was terminating existing connections (e.g., streaming video) when bedtime rules activate. The solution involves using pfctl to kill relevant active connections, though a more granular approach (killing only non-exempt connections) proved difficult.
  • System Cohesion: The author praises OpenBSD's integrated design, noting how dhcpd and pfctl seamlessly interact with pf's table system, embodying the 'Unix Philosophy'.
  • Automation: All these components are integrated into a shell script to automate the bedtime enforcement process.

This detailed guide provides a robust, OpenBSD-centric method for implementing granular network access control, offering a powerful alternative to consumer-grade parental control features for technically-inclined users.