Irreversible way to block Internet access on Mac for certain periods of time

Question

I am looking for a way to restrict Internet access for specified periods of time that I decide on so that I, the admin, cannot access the internet during the restricted time period, and that I also cannot override this in any way even though I am the admin, except by formatting my hard disk and reinstalling my OS.

I am not looking for reversible methods like a browser add-on or parental controls (I'm the admin) or router changes (I do not own the router). I want something at the level of the OS, something that requires administrator privileges (of course something like this cannot be done other than by an admin), and something irreversible.

I would be grateful and very happy to adopt any way of reaching my goal.

Answer 1

First, let's clear up a misconception....

I am looking for a way to restrict ... that I decide on so that I, the admin, cannot access ... and that I also cannot override this in any way even though I am the admin...that requires administrator privileges (of course something like this cannot be done other than by an admin), and something irreversible.

In other words, can you (as an admin) modify the OS to prevent an activity that another admin cannot circumvent?

No. Anything one admin can do, another can undo.

That's not to say that you can't make it very difficult to do the "undoing." So, here's a short recipe using the built-in firewall, pf to achieve a relatively good bit of what you're trying to accomplish.

Use pf to "disable" your Internet

• create your own pf.conf firewall ruleset that blocks all Internet traffic
• Create a launchd plist that enables/disables pf at certain times of the day.
• Block your sudo access to pfctl by modifying your sudoers file.

The meat and potatoes to blocking your Internet access is pf so, we'll look at that here.

Block Internet Access

You can block all of your Internet access with a really simple rule set. So, assuming the pf rule are set in the file ~/pf/pf_block_all.conf, just set the following two lines:

block in all
block out all

You can then "break" your Internet with the simple command by enabling pf and specifying the custom rule set.

$ sudo pfctl -e -f ~/pf/pf_block_all.conf

When you're ready to have Internet again, just disable pf

$ sudo pfctl -d

(Go ahead, try this out to see how it blocks the Internet).

Running the launchd plist

You would want to run this as a LaunchDaemon because then, it will execute as root and you wouldn't need the sudo function to execute. You would need two plists run at certain intervals; one to enable and another to disable pf. This post goes into detail on how to achieve this.

Blocking access to pfctl

To remove the ability of you just typing in sudo pfctl .... you will need to remove (well, at least make it difficult) permission to execute. In the /etc/sudoers file you can exclude a program with the following entry:

Tim ALL = ALL, !/sbin/pfctl

That will prevent you from executing pfctl, but there are workarounds to this. See the link above.

Answer 2

No, there’s no irreversible way. At the extreme, an admin could always just reinstall macOS from scratch, or change the system clock so that the blackout period expires early. You’d need a firmware option to disable the network hardware for a specific period of time, and an unchangeable firmware clock, and such things do not exist.