Skip to content

pfSense Intervention

Have you ever wasted too much time online? Right, so posting this on my blog imparts some selection bias to the answers to that question. But have you really wasted time to the point of not getting work done, or letting other things fall by the wayside? Some people call this Internet addiction, some people say there’s no such thing (mostly Ivory Tower types who can’t even distinguish between a blog and an MMORPG). Some people are just feeling depressed about it. Regardless, this isn’t the BFC Psychology Weblog – let’s get some computers to help us out here.

I wrote previously about good experiences with my pfSense firewall, today we’re going to use some of the new 1.2 features to get us back to work. We’re going to block some sites that sing their siren song to us, calling like the blue light inside the bug zapper. I’ll use four that friends have suggested.

Now, it’s simply no good to just cut off your access to these sites. The goal here is to get you back to work, not to make it so that you have to go find a way around an all-encompassing block to get your fix. So, we’re going to block access to problem sites during parts of the day when you think you ought not be accessing them.

To implement this we need to break down the problem into two parts:

  1. What do we want to block?
  2. When do we want to block it?

For the sake of this exercise, we’re going to use these values:

  1. Slashdot, MacRumors, Technocrat, AppleInsider
  2. work hours (8AM-5PM) and late nights (8PM-6AM)

Tailor to fit your needs.

This tutorial assumes you already have pfSense setup. There are good resources to teach you how to do that. Go find one now if you just have a pile of hardware and a CD for pfSense.

Everything we need to do for this tutorial will be found under the ‘Firewall’ menu:

pfsense menu

To encode the first question (“What do we want to block”?), we’re going to make an alias. Select ‘Aliases’ from the menu and hit the ‘+’ icon to make a new one. You’ll see a screen that looks like this:

aliases screen

Give it a useful name for use in other screens. Here it’s called ‘timesucks’. You can add a verbose description, but most importantly, add all of your hosts. You’ll need to specify it by IP address (DNS isn’t a feature yet in this version of pfSense) – use the ‘host’ command at your command line if you need to figure out the IP addresses of sites you want to control. Add as many as you need and click ‘Save’, then ‘Apply’ at the top of the screen. Everytime you make a change in this tutorial and Save, you’ll have to Apply. I’ll leave that out in future steps for the sake of brevity.

Now, we need to encode the ‘when’ of our blocks. Go back to the Firewall menu and click on ‘Schedules’ and add a new one. It’ll look like this:

schedule screen

Pick a name (‘work_hours’ on mine) and give it some prose, then hop down to the calendar. Even though it looks like this is only the August calendar, if you Click on, e.g. ‘Mon’, at the top of the calendar, it will apply to all Mondays from now ‘till eternity. So, for the work-a-day schedule, click on each of Mon-Fri and enter a start time of 8:00 and an end time of 16:59. Click the ‘Add Time’ button and it’ll show up in the ‘Configured Ranges’ list. Then we can add the next one.

Now, the requirements call for a late-night block as well. 8PM to 6AM is hard to encode directly, so we’ll break that down into an 8PM-11:59PM block and a 12AM-5:59AM block. Since we’re not really concerned with the the weekend here, the morning blocks go on the regular Monday-Friday days, but the night block goes on Sunday-Thursday. It took me a couple passes to parse that – think it over and adjust to your needs. Now, Save and Apply.

OK, then, so we’ve defined the what and the when, so now we need to tell pfSense to do something with our criteria. So, from the Firewall menu again, add a Rule. We need the rule to go on our LAN tab:

pfsense rules tabs

because pfSense looks at all traffic from the perspective of “what interface am I going to see the packets coming in on?”. We’re going to block our requests to these sites, so pfSense will see HTTP GET requests from the LAN if we fall off the wagon. Now, create the rule on the LAN tab like this:

rule definition

The criteria, for this simple case, are:

  1. Reject the the traffic
  2. from the LAN
  3. TCP connections
  4. source is any
  5. any OS
  6. Destination – select host or alias and put in the name of your alias, ‘timesucks’ in the example
  7. leave the Destination ports as any/any
  8. No need for any of the advanced options
  9. now, select the schedule you created, ‘work_hours’, in this case
  10. leave the gateway default (you know if you need something special here)
  11. and give it a descriptive name for future reference.

    Now, Save and Apply. You’re done. Backup your config file for safe keeping.

    If you’re like me, you might notice yourself accidentally browsing to one of these sites or following a link to it when you ought to be working. Your browsers will tell you in a grumpy way that it can’t connect to the host (it won’t tell you that it can’t find it, since we’re only blocking TCP, and DNS is UDP, so your DNS cache won’t get hosed).

    And, since you can’t get to your favorite timesuck site right now (save it for the quitting bell), you’ll get back to work.

    Or posting to your blog…

7 thoughts on “pfSense Intervention”


    **** THE PROOF THAT pfSense IS EVIL ****

    P F S E N S E
    16 6 19 5 14 19 5 – as numbers
    7 6 1 5 5 1 5 – digits added
    _/ _/ _/ _/ _________/
    7 6 1 5 2 – digits added

    Thus, “pfSense” is 76152.

    Turn the number backwards, and add 6 – the smallest perfect number. The number is now 25173.

    Turn the number backwards, subtract 1887 – the year Erwin Schrodinger, known for hatred to all furry animals and heresy, was born. The number is now 35265.

    Turn the number backwards, divide by 3 – the symbol of fulfillment. The number is now 18751.

    Add 4591 to it – this is the year when first FORTRAN computer program was executed, written backwards – you will get 23342.

    Subtract 111, the only triplet that can ever be prime. The result will be 23231.

    Write 1889 backwards. Translate it to octal – this will give you 23231. Thus, 23231 stands for 1889, the year Adolf Hitler was born.

    You get the picture. QED.

  2. Hmmm…very interesting. It would be great to be able to redirect those requests to an html page stored somehwere…say on the pfsense itself. Could we possibly obtain the same objective or add another feature by creating DNS overides of sites to point to a local page? This will assume the PFsense is handling DNS requests. You could have a page saying ACESS DEINIED you are accessing a probitied site…per section 10.5 of the company agreement you signed. Your employment is terminated effective now!……………………time to go to bed.

  3. if you want to show an access denied page you might want to run your own dns server and have it as the root server. then point say * to (or some other server) have a simple php script that says tisk tisk tisk and send you a e-mail with the ip and date/time of when it happened.

  4. One problem – theres always something else to waste time on with the net…. so your block lists could grow to massive sizes. Consider a the opposite method – a white list during work hours.

    Of course the best solution is to transparently proxy all requests through a web cache like squid and to run a validator like ufdbGuard or Dansguardian to filter based on rules….. however true geeks don’t work their best when being leaned on like this. (ssh tunnel to home to circumvent….)

  5. Bill McGonigle

    Jim – it’s in the title – there aren’t engines that ignore titles for semantics, are there?

Comments are closed.