Breaking connections/resetting state
-
As a means of "encouraging" users in my house to get off the internet at certain times, I have scheduled downtimes of certain networks in the firewall rules. Unfortunately it seems that once a connection is already made, that connection persists despite the blocking rules. As an example, one user in particular starts up facebook chats with friends. The network rules block * on that network but the user continues to type away. Without standing behind them and verifying what's happening and from occasional glances at their screen in the distance, I'm 99% sure they're continuing to chat long after the blocking rules have kicked in.
Rebooting the firewall seems to encourage them to get up and stretch their legs and do other things but I'd prefer an easier way.
My question is (I'm not in front of my pfsense box right now so I can't explore), is there an easier way to do it? E.g. set up a cron job to reset states right after the blocking rules kick in, will that break all existing connections?
I'm dealing with surly teenagers here, so getting them to explain how they're still on facebook inside the blocked schedule and work with me isn't a likely scenario.
-
the states should be reset for all related states when a schedule ends
see menu System: Advanced: Miscellaneous: Schedule States.also: don't use a block rule to schedule, use a pass rule to schedule …. pass from 8am-->10pm / deny allways
If thats not the case, please verify if and try to create a replicatable scenario, so the developers can figure out why its failing.
-
also: don't use a block rule to schedule, use a pass rule to schedule …. pass from 8am-->10pm / deny allways
This is the important thing.
Put a pass rule on a schedule to pass traffic "xyz" at the allowed times.
Then put a block rule to block traffic "xyz" at all times.The packet filter knows which sessions/states were created from which pass rule. So when the pass rule ends it is simple for the (command to be given do remove all states that were associated with that pass rule automagically.
-
OK, that's a bit harder to implement.
My ruleset looked like this:
block everything from an alias from 10pm to 6am
pass proto_something from alias_something to a_particular_alias at a_particular_port always
more specific pass rulesI wanted the block rule to override the others and because the others are older and some are quite specific (allow one particular machine to communicate with one particular IP:port) it'll just be a bit more work to delete the block rule (there's the default block_all rule already at the bottom) and edit all the existing rules to allow during a 6am-10pm schedule.
Very hard to create a repeatable scenario given the secretive nature of the users. I'll try to rejig my rules and if it still doesn't work get back to you.
-
Changed ruleset to:
pass a particular rule according to daytime schedule
pass another rule according to daytime schedule
etcand got rid of the:
block according to nighttime schedule
and it appears to work judging by the complaints I got when the daytime schedule ended. Thanks everyone.