How to instantly disconnect states when time limit is reached?
-
In a nutshell i use this at home to help control my children from excessive internet usage. I have firewall rules that allow connections for certain times only based upon schedules (tied to their device IP addresses). The last rule i have is to deny access to all their devices.
So my firewall flow is like this:
Rule allow access (with schedule)
if the rule is not active because the time period has expired then it goes all the way down the list till it hits something which is active and that is the deny all access to their devices rule.This works great for new connections but not for existing ones. Meaning lets say at 10pm i have the pass rule set to not be active. Any new connections they make are being blocked. However, if they are currently playing a game or watching something on youtube, the connection persists until they disconnect. Afterwards, assuming they disconnected 100% from the server they were on (and the state is gone), they cannot reconnect until the next day when the pass rule becomes active again.
This long winded explanation leads me to this question, is there anything I can do to terminate the existing states when the rule expires? I thought this was already supposed to do this but I may have been mistaken. What I want is for when the rule deactivates I want all TCP and UDP traffic to halt which means the states cleared.
Is there anyway I can do that?
-
@jeremym said in How to instantly disconnect states when time limit is reached?:
nutshell i use this at home to help control my children from excessive internet usage. I have firewall rules that allow connections for certain times only based upon schedules (tied to their device IP addresses). The last rule i have is to deny access to all their devices.
So my firewall flow is like this:
Rule allow access (with schedule)
if the rule is not active because the time period has expired then it goes all the way down the list till it hits something which is active and that is the deny all access to their devices rule.
This works great for new connections but not for existingMaybe a cron job to kill the states:-
https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8
-
A scheduled pass rule will kill states associated with it unless Schedule States - Do not kill connections when schedule expires is checked (System > Advanced, Miscellaneous).
The connections that are not killed are likely being passed by another rule so they are not killed when the scheduled pass rule expires.
-
@derelict said in How to instantly disconnect states when time limit is reached?:
A scheduled pass rule will kill states associated with it unless Schedule States - Do not kill connections when schedule expires is checked (System > Advanced, Miscellaneous).
The connections that are not killed are likely being passed by another rule so they are not killed when the scheduled pass rule expires.
I dont have that enabled and yet my kids still happily enjoy existing steam connections well past the expiration time. New connections though do not get created.
I have this on my LAN firewall rule section and not the WAN section. I assumed LAN is where its supposed to be configured.
I would provide logs real quick but out of frustration I just made them reboot their computers tonight when the rule expired.
-
I also have their devices as the "source" and not the destination. Should i switch the rule so the devices are the destination? That kinda seems like maybe thats the issue on my end perhaps? If new connections cant be made out when it expires "source", but existing connections are sustained to my kids computer "destination", maybe thats what the problem is?
Im just grasping for straws here. I believe its something i have configured on my end thats letting it go through. Just trying to figure out what haha
-
Every time someone says this happens, I test it and it works fine (the states are killed).
There are some under-the-hood things you can do to see what rules created said states, but it gets a little complicated.
What time of day (and time zone) do you have this scheduled pass rule set to expire?
-
@jeremym said in How to instantly disconnect states when time limit is reached?:
Should i switch the rule so the devices are the destination?
No, that won't work. What matters is that the scheduled rule creates the states, and that there are no other rules that pass the connections after that rule expires. And that the actual gaming traffic is matched by the pass rules and not by some other rules (there might be certain connections that are only required to create the game and others to keep playing, etc).
-
Eastern Time Zone.
The schedules vary based upon if its a weekday or weekend. Weekends I let them use it more than weekdays just because of school reasons.
Mostly during the week (Sun-Thurs) its from 1500 to 2200
Weekend (Friday-Sat) its 1200 to 23:59After that the pass rule expires and then the only thing left for them is the deny rule.
-
The following works for me:-
Post your firewall rules.
-
@NogBadTheBad Im actually going to trim up that rule list and make it much less complicated. Lots of things i could combine there into a few rules. I originally had so many, and more schedules, due to what device was being used. However even as it stands above it should still terminate all connections to their devices at the scheduled times. I must have something wrong somewhere.
-
I'd just create a couple of test firewall rules and get that working.
You can have multiple days / times in a single schedule as well.
-
@Derelict do you know if the issue I reported, that you logged into my firewall to validate and gather logs, has been fixed yet?
-
There was some work done with matching NAT states.
Best thing to do is upgrade to 2.4.4-p3 and see if it fixes your specific problem.