pfSense Intervention

Have you ever wasted too much time online? Right, so posting this on my blog imparts some selection bias to the answers to that question. But have you really wasted time to the point of not getting work done, or letting other things fall by the wayside? Some people call this Internet addiction, some people say there’s no such thing (mostly Ivory Tower types who can’t even distinguish between a blog and an MMORPG). Some people are just feeling depressed about it. Regardless, this isn’t the BFC Psychology Weblog – let’s get some computers to help us out here.

I wrote previously about good experiences with my pfSense firewall, today we’re going to use some of the new 1.2 features to get us back to work. We’re going to block some sites that sing their siren song to us, calling like the blue light inside the bug zapper. I’ll use four that friends have suggested.

Now, it’s simply no good to just cut off your access to these sites. The goal here is to get you back to work, not to make it so that you have to go find a way around an all-encompassing block to get your fix. So, we’re going to block access to problem sites during parts of the day when you think you ought not be accessing them.

To implement this we need to break down the problem into two parts:

  1. What do we want to block?
  2. When do we want to block it?

For the sake of this exercise, we’re going to use these values:

  1. Slashdot, MacRumors, Technocrat, AppleInsider
  2. work hours (8AM-5PM) and late nights (8PM-6AM)

Tailor to fit your needs.

This tutorial assumes you already have pfSense setup. There are good resources to teach you how to do that. Go find one now if you just have a pile of hardware and a CD for pfSense.

Everything we need to do for this tutorial will be found under the ‘Firewall’ menu:

pfsense menu

To encode the first question (“What do we want to block”?), we’re going to make an alias. Select ‘Aliases’ from the menu and hit the ‘+’ icon to make a new one. You’ll see a screen that looks like this:

aliases screen

Give it a useful name for use in other screens. Here it’s called ‘timesucks’. You can add a verbose description, but most importantly, add all of your hosts. You’ll need to specify it by IP address (DNS isn’t a feature yet in this version of pfSense) – use the ‘host’ command at your command line if you need to figure out the IP addresses of sites you want to control. Add as many as you need and click ‘Save’, then ‘Apply’ at the top of the screen. Everytime you make a change in this tutorial and Save, you’ll have to Apply. I’ll leave that out in future steps for the sake of brevity.

Now, we need to encode the ‘when’ of our blocks. Go back to the Firewall menu and click on ‘Schedules’ and add a new one. It’ll look like this:

schedule screen

Pick a name (‘work_hours’ on mine) and give it some prose, then hop down to the calendar. Even though it looks like this is only the August calendar, if you Click on, e.g. ‘Mon’, at the top of the calendar, it will apply to all Mondays from now ‘till eternity. So, for the work-a-day schedule, click on each of Mon-Fri and enter a start time of 8:00 and an end time of 16:59. Click the ‘Add Time’ button and it’ll show up in the ‘Configured Ranges’ list. Then we can add the next one.

Now, the requirements call for a late-night block as well. 8PM to 6AM is hard to encode directly, so we’ll break that down into an 8PM-11:59PM block and a 12AM-5:59AM block. Since we’re not really concerned with the the weekend here, the morning blocks go on the regular Monday-Friday days, but the night block goes on Sunday-Thursday. It took me a couple passes to parse that – think it over and adjust to your needs. Now, Save and Apply.

OK, then, so we’ve defined the what and the when, so now we need to tell pfSense to do something with our criteria. So, from the Firewall menu again, add a Rule. We need the rule to go on our LAN tab:

pfsense rules tabs

because pfSense looks at all traffic from the perspective of “what interface am I going to see the packets coming in on?”. We’re going to block our requests to these sites, so pfSense will see HTTP GET requests from the LAN if we fall off the wagon. Now, create the rule on the LAN tab like this:

rule definition

The criteria, for this simple case, are:

  1. Reject the the traffic
  2. from the LAN
  3. TCP connections
  4. source is any
  5. any OS
  6. Destination – select host or alias and put in the name of your alias, ‘timesucks’ in the example
  7. leave the Destination ports as any/any
  8. No need for any of the advanced options
  9. now, select the schedule you created, ‘work_hours’, in this case
  10. leave the gateway default (you know if you need something special here)
  11. and give it a descriptive name for future reference.

    Now, Save and Apply. You’re done. Backup your config file for safe keeping.

    If you’re like me, you might notice yourself accidentally browsing to one of these sites or following a link to it when you ought to be working. Your browsers will tell you in a grumpy way that it can’t connect to the host (it won’t tell you that it can’t find it, since we’re only blocking TCP, and DNS is UDP, so your DNS cache won’t get hosed).

    And, since you can’t get to your favorite timesuck site right now (save it for the quitting bell), you’ll get back to work.

    Or posting to your blog…