Firewall schedule - terminating existing sessions

erintech · Dec 2, 2011, 4:03 PM

Hi

The ability to use a schedule with a firewall rule is fantastic, and works perfectly well in testing when browsing different websites. So I can set a rule with a schedule which blocks access after a certian time (kids bedtime!).

I understand that this doesn't work instantly for existing sessions (eg streaming video - iPlayer) and that a cron job runs every 15 minutes to remove old sessions.

I assume it must be this one:

0,15,30,45 * * * * root /etc/rc.filter_configure_sync

Can anyone comment on whether it would cause problems if I made this more frequent? eg every 5 minutes (0,5,10,15…)

Also: how can I monitor cron jobs - or find the logs? (freeBSD is somewhat different from the linux I am used to)

Many thanks,

wpanic · Dec 20, 2011, 3:18 AM

Hi All… Dovetailing off of erintech's question, I'm having trouble clearing in-flight, existing sessions with the schedules I've created. I want to be able to cut my kids XBox and skype sessions of at a predefined time on school nights, but any in-session connection stays up after the timed firewall schedule rule comes due. (NOTE: The rules do block any NEW session started after the rule schedule time so I can assume the rules are fashioned correctly and operate as intended)

I've watched the scheduled engage in the firewall rules but they do not block any existing session. I've tried a manual filter reload with no joy. The only thing that does work is resetting the states.

I've tried to find out how to make this work and searching the forum reveals posts saying that firewall schedules should terminate existing session and others saying that one has to add a mirrored rule (one passing traffic) just before the blocking rule…. Quite confusing.

Do I simply have to have more patience and let the CRON job do it's work? (as noted in erintech's post). In that case, if the CRON job runs every 15 minutes shouldn't one have to subtract 15 mins to any schedule in order to have a truly valid schedule? This seems specious at best..... counter intuitive and antithetical to an otherwise well designed firewall.

Can anyone elaborate on this and provide a solid answer as to how i can ensure the rule will cut off existing sessions?

Thanks!!

wpanic · Jan 5, 2012, 3:25 AM

Welllll… I'll take the lack of response to my question is either the question is too difficult or too stupid...

In any case, I have tried, unsuccessfully to have the firewall kill/terminate existing session to no avail. I have actually made two schedules, one "on" and one "off" and assigned a pass and block rule to each respectively. While both show proper activity states when the time slot arrives, the firewall will still not kill existing streams...

Can anyone provide more insight and a solution??

podilarius · Jan 5, 2012, 3:44 AM

I am looking for the same thing. One thing I have going is that I have a dhcp reservation for my kids device. I think I can create a cron job that will kill all states matching the IP at schedule time +1 minute. At least I think it should be possible.

I am going to try the inverse method to see if that will work.

chpalmer · Jan 5, 2012, 3:51 AM

@erintech:

Hi

The ability to use a schedule with a firewall rule is fantastic, and works perfectly well in testing when browsing different websites. So I can set a rule with a schedule which blocks access after a certian time (kids bedtime!).

I understand that this doesn't work instantly for existing sessions (eg streaming video - iPlayer) and that a cron job runs every 15 minutes to remove old sessions.

I assume it must be this one:

0,15,30,45 * * * * root /etc/rc.filter_configure_sync

Can anyone comment on whether it would cause problems if I made this more frequent? eg every 5 minutes (0,5,10,15…)

Also: how can I monitor cron jobs - or find the logs? (freeBSD is somewhat different from the linux I am used to)

Many thanks,

Set the rules to go 15 minutes sooner than you intend them to activate so that the Cron job activates on time….

When they complain about the earlier time, tell them that if they abide by the rules you will loosen the noose...

podilarius · Jan 5, 2012, 4:00 AM

Or tell them that is the time for them to prove they are responsible. If they can stop on time every day, then they can have the restriction moved. Give them the opportunity to prove themselves.

Either Way … good luck.

marcelloc · Jan 5, 2012, 5:44 AM

Try to find reset states code, look what php this button call and run it via cron.

An easier way could be creating a stateless rule before Allow rule with inverse time schedulle. This way when this rule is active, firewall will block any connections established or not.

podilarius · Jan 5, 2012, 5:54 AM

Excellent … I will give that a try.

kirlox_kitoy · Jan 19, 2012, 3:48 AM

What you mean stateless? Have anyone tried using the built in scheduling on the User Interface in pfsense?

marcelloc · Jan 19, 2012, 3:54 AM

@kirlox_kitoy:

What you mean stateless? Have anyone tried using the built in scheduling on the User Interface in pfsense?

Yes, we are talking about time schedules from gui.

If you read full thead you will see that established connections remains after time is up.

The stateless rules can be set under advanced firewall rule options.

Change it from keep state to none.

kirlox_kitoy · Jan 19, 2012, 6:16 AM

Can i ask for help this is my link too http://forum.pfsense.org/index.php/topic,45251.0.html