Firewall Rule Schedule
-
I use pfSense in a lot of locations and so do my clients. Not one needs this feature so I don't think the demand is as far fetched as some would want you to think.
Keep rolling on what your rolling on… It's touching a lot more people than time based rules would.
-
I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.
-
I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.
Yes, a bounty is about the only way I see this making in the system. It really is no thrills and doesn't really give anyone satisfaction of working on something 'cool' unfortunately.
-
I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.
What commercial firewalls have time based rules?
sai
-
Sonicwalls, Watchguards, and Checkpoint. Also the new pix version 7.2 I believe supports time based rules.
-
I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours. Here is our idea/progress.
We want to be able to set a begin and end time for each rule. We plan on using the enable button to effect the change. Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule. If they are filled in then entries in the crontab will be created for each begin/end time. This way we don't have to poll, just refresh the webpage at the given times in the rules table.
Status:
Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
Write a contab file containing all the start/stop times. (done)What we have left to do is to get cron to read the crontab and refresh the webpage. For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly. This method requires you to log in everytime. Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole? When this last piece is done, it will be working.
Suggestions welcome for this last piece or comments if we have done something completely wrong.
thanks,
-
Sounds like you've made a lot of progress. I'm not sure if you have this implemented already, but one important feature about this schedule stuff is the days factor. There's needs to be a way to specify what days as well as what time on the schedule.
-
I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours. Here is our idea/progress.
Suggestions welcome for this last piece or comments if we have done something completely wrong.
thanks,
mebe freeradius and pfsense captive portal can help you
Login-Time defines the time span a user may login to the system. The format of a so-called time string is like the format used by UUCP. A time string may be a list of simple time strings separated by "|" or ",".
Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen. A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means all days.
After that a range of hours follows in hhmm-hhmm format. For example:
"Wk2305-0855,Sa,Su2305-1655"
radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someone's Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00.
liza Password == "lizaspassword"
Auth-Type := Local, Login-Time :="Al1600-2200"lets liza with password lizaspassword true the pfsense cative portal on every day between 16:00 and 22:00 uhr
-
Wow intersting suggestion. Looks like I have a lot of learning to do. Would you happen to have a pointer to some documentation on Radius and captive portal within pfsense? Not a biggie if you don't, I'll look around anyway the captive portal forum.
thanks,
-
There are some tutorials about captive portal at our tutorial section: http://pfsense.com/index.php?id=36
-
I tried those links but none of them work. They just hang and never actually load anything. I tried the NCSA and the untouchables. Do you know of one that actually works?
thanks,
-
All of them work. You need flash as they are movies.
-
I have flash as other websites with flash work, and I don't get any prompting saying I need to download macromedia. Not sure what is wrong. I just get a blanks square with a click to activate dialog. After clicking it just hangs. If I disable flash, then I don't get the click to update dialog.
thanks anywy,
-
They work for me. Are you using Firefox or IE?
-
IE
-
Try Firefox. Works for me under it, and it's the best browser there is ;).
-
I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours. Here is our idea/progress.
We want to be able to set a begin and end time for each rule. We plan on using the enable button to effect the change. Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule. If they are filled in then entries in the crontab will be created for each begin/end time. This way we don't have to poll, just refresh the webpage at the given times in the rules table.
Status:
Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
Write a contab file containing all the start/stop times. (done)What we have left to do is to get cron to read the crontab and refresh the webpage. For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly. This method requires you to log in everytime. Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole? When this last piece is done, it will be working.
Suggestions welcome for this last piece or comments if we have done something completely wrong.
thanks,
For this purpose, you can use IPCop with URL Filter add on.
I used IPCop for this purpose.
And my IPCop is behind pfsense, which supports multi-wan function. -
I use time based rules in a Juniper/Netscreen Firewall for a few reasons. I cannot use captive portal because I am not limiting just port 80, I have programs that use other ports and are unattended. But I am also limiting bandwidth per rule also. So that during business hours the firewall throttles to a lower bandwitdh than during the night for those ports. Aren't online backups fun.
Instead of refreshing some web page have your cron job either modify and apply /tmp/rules.debug or directly change the running rules at the times you specify.
It would be nice, but that would mean that traffic shapper would have to be used per rule and also have sheduling.
I am not holding my breath on this feature set. :PpfSense is a good firewall and I use it in most places.
-
I am working on this right now for HEAD version. I'll keep posted how my progress goes and when it will be available in releng.