{Complete} Timebased Rules

heiko

Scott,
it is a very simple test.

My first test: I create a rule with icmp path to the wan!
2.) i ping- all is OK
3.) i disable the rule, and the ping replys
4.) i delete the rule, and the ping replys
5.) after the delete of the "one" rule, new ping replys and replys

So, before i test a rule with a schedule, at first a i test the normal behaviour….

Please duplicate!

sullrich

I cannot duplicate this.  The firewall works as it should without schedules, in fact, we didn't modify the PF rules at all so if an item does not have a schedule then nothing has changed on the backend.

If you are speaking of a rule having an issue with a schedule please run ipfw show from the shell and show what the rules look like.

heiko

I will test it, i´am disappointed

sullrich

Why are you disappointed?

heiko

no comment, i will test it

sullrich

I think our language barriers are getting in the way.  Is there someone out there that can help translate?

heiko

Scott,
i think we are finished the project.
Thank you for the the great coding.
heiko

sullrich

I am confused, so everything works okay?

heiko

No, i think it is not working, but you work very well, but i want not a conflict..

sullrich

Nobody is creating a conflict.  I just cannot duplicate the problem..

When I permit or deny ICMP traffic on the WAN interface it stops as it should.

heiko

OK, then it is vmware problem, i think

sullrich

Do you speak german?  Please join #pfsenseDE on FreeNODE.

sullrich

I have a feeling that I know what you are testing.

Is this what you did?

ping the wan ip from a client continually (-t on windows)
add icmp allow rule on wan tab
client can now ping the wan
remove the wan icmp rule and apply
client can still ping firewall (pf state exists, you must ctrl-c and ping again or clear states)

Where I think the confusion is that I had to do some ipfw mastery to override the pf rules for schedules.  And that is the reason why ICMP will be blocked correctly on a schedule.  PF rules themselves have not changed so if a state already exists and you remove the rule that session will remain active until it closes or you clear the states on the firewall.

heiko

Scott,

that´s it. COMPLETELY

sullrich

Good deal.  Do you understand now why it works that way?  It has always worked that way due to it being a stateful firewall.

In terms of the cosmetic GUI issues, we will look into them.

But at this point is the system working for you?  I really need to get 1.2 tagged in CVS and begin the 1.2 beta engineering process.

heiko

Boh Scott,
yes i do, but we can i test this completley out with schedules on a rule?

sullrich

Yes, please test and let me know when you are happy with it.

heiko

a new snapshot?

sullrich

Sure, that will work.  There have been no commits for atleast 9+ hours.

heiko

Hm? but i will test it