Irreversible way to block Internet access on Mac for certain periods of time
Domanda
I am looking for a way to restrict Internet access for specified periods of time that I decide on so that I, the admin, cannot access the internet during the restricted time period, and that I also cannot override this in any way even though I am the admin, except by formatting my hard disk and reinstalling my OS.
I am not looking for reversible methods like a browser add-on or parental controls (I'm the admin) or router changes (I do not own the router). I want something at the level of the OS, something that requires administrator privileges (of course something like this cannot be done other than by an admin), and something irreversible.
I would be grateful and very happy to adopt any way of reaching my goal.
Soluzione
First, let's clear up a misconception....
I am looking for a way to restrict ... that I decide on so that I, the admin, cannot access ... and that I also cannot override this in any way even though I am the admin...that requires administrator privileges (of course something like this cannot be done other than by an admin), and something irreversible.
In other words, can you (as an admin) modify the OS to prevent an activity that another admin cannot circumvent?
No. Anything one admin can do, another can undo.
That's not to say that you can't make it very difficult to do the "undoing." So, here's a short recipe using the built-in firewall, pf
to achieve a relatively good bit of what you're trying to accomplish.
Use pf
to "disable" your Internet
- create your own
pf.conf
firewall ruleset that blocks all Internet traffic - Create a
launchd
plist that enables/disablespf
at certain times of the day. - Block your
sudo
access topfctl
by modifying yoursudoers
file.
The meat and potatoes to blocking your Internet access is pf
so, we'll look at that here.
Block Internet Access
You can block all of your Internet access with a really simple rule set. So, assuming the pf rule are set in the file ~/pf/pf_block_all.conf
, just set the following two lines:
block in all
block out all
You can then "break" your Internet with the simple command by enabling pf
and specifying the custom rule set.
$ sudo pfctl -e -f ~/pf/pf_block_all.conf
When you're ready to have Internet again, just disable pf
$ sudo pfctl -d
(Go ahead, try this out to see how it blocks the Internet).
Running the launchd
plist
You would want to run this as a LaunchDaemon because then, it will execute as root
and you wouldn't need the sudo
function to execute. You would need two plists run at certain intervals; one to enable and another to disable pf
. This post goes into detail on how to achieve this.
Blocking access to pfctl
To remove the ability of you just typing in sudo pfctl ....
you will need to remove (well, at least make it difficult) permission to execute. In the /etc/sudoers
file you can exclude a program with the following entry:
Tim ALL = ALL, !/sbin/pfctl
That will prevent you from executing pfctl
, but there are workarounds to this. See the link above.
Altri suggerimenti
No, there’s no irreversible way. At the extreme, an admin could always just reinstall macOS from scratch, or change the system clock so that the blackout period expires early. You’d need a firmware option to disable the network hardware for a specific period of time, and an unchangeable firmware clock, and such things do not exist.