Timebased rules
-
PS… you will lock yourself out of the firewall as long as the block rule is active. You can't even access pfsense to administer while active so don't test this on your admin pc. ;)
Do you have the "Disable webGUI anti-lockout rule" box checked on the Advanced page? If not, this is a bug in the time based rules that needs to be fixed. You should never be able to lock yourself out of the webGUI unless this box is checked.
-
@cmb:
Do you have the "Disable webGUI anti-lockout rule" box checked on the Advanced page? If not, this is a bug in the time based rules that needs to be fixed. You should never be able to lock yourself out of the webGUI unless this box is checked.
I think not a bug, you can't access pfsense at all from the blocked pc while rule is active. I only meant not to block your pc you use to admin.
-
normal there is a speciale rule that makes it that that can never happen
if it is and you did not disable the rule
then its a big bug -
To be able to shutdown already established connections we had to set ipfw on top of pf. My bet is we don't install the antilogout rule for ipfw as we only parse the visible rules in the webgui. So if you block to any port 80 destination and your webgui runs on port 80 you will log yourself out. Create a rule on top of this block to any port 80 rule that still allows access to the gui as destination IP. I guess then it will work. If that's the case we just need to make ipfw aware of the webgui antilogout rule.
-
Hmmh, Tonight, i will duplicate this test, too, and post the outcomes…
-
I did a format, downloaded the official iso, downloaded the newest snapshot and re-installed tonight. Still can't get the schedules to block - unblock internet access. :'( Any ideas?
-
Works for me. Take some screenshots of your rules and schedule, then post them here.
-
-
Can you post a screenshot of the first schedule page, firewall_schedule.php, thanks.
-
-
Ok I've confirmed, its not "killing" the states properly.
-
I think I'm having the same problems. I've set up the timebased rules and they are showing up as being active at the proper times when I look at the Firewall:Rules page (e.g., I've got a block rule for my wireless subnet that is showing up as being active at the proper time). However, the wireless subnet is not actually blocked at the time.
Here's what I did:
1. Prior to 7:30 am set up a timebased rule to block access to/from the wireless subnet from 7:30 am to 7:45 am. At this time (prior to 7:30 am) the wireless subnet has access (confirmed via ping to yahoo.com).
2. After 7:30 am check firewall:rules page and confirm that the timebased rule is active… it is. Attempt ping from wireless subnet to yahoo.com... still have connectivity.
3. From the firewall:rules page open up the edit page for the wireless subnet block rule having the associated 7:30 to 7:45 schedule. Don't make any changes but save and apply the rule "change". Attempt ping to yahoo.com. Now there is no longer connectivity which is the proper/desired state.
4. After 7:45 (when the timebased rule should no longer be active) I go through similar steps and see that I have the same problems in reverse. I.e., even though the firewall:rules page shows the rule as no longer active the wireless subnet connectivity is still blocked. I have to "edit" the firewall rule, save it, and apply it for the timebased rule to be truly no longer active.I am using the pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 snapshot.
Thanks!
-
Hi,
i have duplicated your test, but for me it works as it should.1.) Block Rule –> schedule 18:30 to 18:45 --> any to yahoo.com --> at 18:30 it blocks all to yahoo.com, no ping
2.) At 18:45 the Block Rule is outside the schedule and the ping replys! -
Nope… still not working for me. I rebooted the firewall and tried it again. At 14:45 block rule schedule started and I can still ping to yahoo.com. I have to open the block rule, save it so that the system prompts me to apply the "change", and then the rule takes affect. The schedule doesn't appear to change the change the state itself. Nothing shows up in the system log other than the "check_reload_status: reloading filter" from applying the change.
-
Just tried booting from the most recent ISO using my config settings saved on a floppy rather than my hard drive installation which has been upgraded multiple times with squid, snort, etc. installed and uninstalled multiple times. Thought this might help eliminate some potential problems.
Still didn't work booting from the CD. Same behavior as before.
Strange and too bad, since this is a feature I would really like to use!
-
works here like a charm… sorry...
-
Any suggestions for how I might begin tracking down where the problem might be?
Any help would be appreciated!
Thanks.
-
Maybe you could do the same test on lan.
http://pfsense.hotserv.dk/dd.htm -
Is it possible that my installation is not automatically reloading the rules every 15 minutes (check_reload_status?)? How could I confirm this?
Everything looks fine in the GUI as far as the block rules being enabled/disabled at the proper times per the schedule, etc… yet the scheduled rules aren't actually being enabled/disabled unless I do so manually. I've confirmed this by resetting the states and seeing that the block rules don't work automatically per the schedule (even though they are shown as enabled) but do work if I've manually reloaded the rules.
P.S. I've also gone through my config.xml file to try to find any obvious corruption. I did remove sections for packages that I had previously installed but later uninstalled but that was it. That didn't take care of my problem though.
Thanks again for any help you can provide!
-
The following from the {Complete} Timebased Rules thread appears to describe what I am experiencing…
Hello,
sorry for the misunderstandings about the fw states. I have tested it with two schedules, because (scotts posting) the first schedules becomes up only after a reboot.1.) I created two schedules
2.) I created one rule to permit icmp to WAN with one schedule (activ 12:45 to 13:00)
3.) At 12:45, sorry nothing happens, no ping replys, at 12:51 i edited and saved manually the schedule for a second time, and it rock´s , hm
4.) The same behaviour if i edited and saved the icmp rule a second time.
5.) At 13:00 nothing happens, at 13:10 i edited and saved the schedule a second time manually, the ping is killed directly