Temporary allowed connections

HansSolo

Desperately need a way to TEMPORARILY approve connections. Many times I need to provide a hole through the firewall for one time transactions for example. All other firewall platforms that I know of have the option to ALLOW a connection for a limited amount of time.....15 minutes, 1 hour etc.

Right now all pfsense allows is either NO connection or PERMANENT connection.

alt text

Is there a way to do this with pfsense?

If not, that's very disappointing.

johnpoz

Look a scheduler... Its in the rules advanced section. and you create the schedules..

Please name these other firewalls that allow for firewall rule for 15 minutes. I have worked on many a firewall over the years and have never seen such a thing.. Most of them do have schedules you can setup which pfsense has as well. But never seen a thing where I could create a rule that is only good for the next hour, sort of thing..

So what firewall allow connection for 15 minutes... Please post a screen show of this feature.

KOM

The closest you will get is to create a schedule and then link it to a firewall rule, I think.

Edit: ninja'd by John

HansSolo

@johnpoz
Seriously???

ALL Watchguard firewalls can do that (except the hobby, home ones)

johnpoz

Post up the screenshot of this rule creation... Watchguards not used in the enterprises I support... Can tell you right now that juniper srx doesn't do it!

its a schedule you can setup.

HansSolo

@johnpoz said in Temporary allowed connections:

Post up the screenshot of this rule creation... Watchguards not used in the enterprises I support... Can tell you right now that juniper srx doesn't do it!

its a schedule you can setup.

No.
On ANY Watchguard X-Core, and above you can select to allow a connection for 15 minutes or 1 hour. It's SUPER simple and is a real convenience.

You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?
Setting up schedules is crazy and a total PITA for this. Sketchy.

KOM

Then use a Watchguard instead of bitching or being passive-aggressive.

HansSolo

@KOM said in Temporary allowed connections:

Then use a Watchguard instead of bitching or being passive-aggressive.

You need to calm down pal. I'm just making it better.
This is a simple thing that is much needed and extremely convenient.
People too tender to take constructive criticism or needing safe spaces don't belong on public forums.

chpalmer

@HansSolo said in Temporary allowed connections:

You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?

Very rarely if ever.. I would not spend a second of anyone else's time to design this into a product. It's to easy just to turn off the rule when its no longer needed.

kiokoman

personally i never had the need of such a thing, as they already told you, unfortunally there isn't such a feature but you can ask for it to be implemented here https://redmine.pfsense.org/projects/pfsense/
maybe with some luck ...

KOM

I remember you now. You're the guy who I had to argue with over simple networking concepts.

"This is a simple thing"

Well then, code it up and submit the patch. After all, it's simple.

"that is much needed"

By whom? You? I don't recall anyone else asking for this in the five years I've been here.

"and extremely convenient."

If you needed such a feature. Most companies I've dealt with don't need holes punched in their firewalls on a regular basis.

johnpoz

Where exactly in the watchguard when you create your policy for your rule is there a place to do this... I do not see anything like your talking about..

Your saying you can click on watchguard firewall log on something that was blocked and allow it for 15 minutes?

How and the F is that going to work when the nat has not even been setup on a port forward, etc. etc..

Still waiting for the screenshot or link to docs for watchguard that allows you do what your asking. Cuz such and option has really ZERO use case in the enterprise... Before something is allowed through a firewall there is change control that has to be done.. You can not just click on something to allow it for 15 minutes..

Your wanting to allow user outbound somewhere on port 443.. That would be done on the PROXY in the enterprise, not firewall.. Then sure users that are blocked by policy normally can just override with a password for X number of minutes, etc.

Such stuff is not done on a L3 firewall!

HansSolo

@KOM said in Temporary allowed connections:

I remember you now. You're the guy who I had to argue with over simple networking concepts.

"This is a simple thing"

Well then, code it up and submit the patch. After all, it's simple.

"that is much needed"

By whom? You? I don't recall anyone else asking for this in the five years I've been here.

"and extremely convenient."

If you needed such a feature. Most companies I've dealt with don't need holes punched in their firewalls on a regular basis.

This is not magic or rocket science dude. ANYONE using the Internet and has a firewall sometimes might need to connect to a possibly sketchy site. Like buying something from an unknown vendor or connecting to a new website that you're not sure is authentic or bogus etc. Why would you allow a PERMANENT connection you're not sure of ??

Seriously???

johnpoz

Again this not done on a firewall in the enterprise - that is done at the proxy!!

Are you running proxy on pfsense?

HansSolo

@johnpoz said in Temporary allowed connections:

Again this not done on a firewall in the enterprise - that is done at the proxy!!

Are you running proxy on pfsense?

No. And I'm blown away that you guys don't know about doing this.
Seriously dude.

I'm wondering now if maybe you and kom have completely misunderstood me.

Did you see the picture I posted in the OP ?

johnpoz

Yeah see the picture... Sorry but that would never in a million years happen on an enterprise firewall!

There is no scenario where that would happen... Only the smallest of the smallest mom and pop shops would allow their firewall admin to just click shit to allow open without change control.. Or a ticket atleast, etc. etc.

But sure in the proxy where site gets blocked because its listed in wrong category, etc. you would correct the category... Or user might be able to allow shopping sites during their lunch break, etc..

I think you have a lack of understanding of how network and security controls work in the enterprise to be honest.. In the 10 some years I have been here - I do not recall anyone ever asking for such a thing either.

KOM

I don't think you're getting it. We understand the feature you're asking about. We're telling you that this is generally not required for an enterprise firewall but you refuse to accept it. And were not even sure what traffic you're talking about. You mention buying something online, so I assume you mean http/s? You want a rule to allow tcp80,443 access on a temporary basis?

HansSolo

@chpalmer said in Temporary allowed connections:

@HansSolo said in Temporary allowed connections:

You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?

Very rarely if ever.. I would not spend a second of anyone else's time to design this into a product. It's to easy just to turn off the rule when its no longer needed.

Huh?
It's easier to go in and do three or four steps instead of ONE ? And then, remember to go back later and do three or four more?? Since when?

chpalmer

Just called my Watchguard rep and he thinks that your incorrect. He is going to check though.

One big issue I see is that just because you end a rule in a stateful firewall does not mean your connection to that destination is going to cease. You need to look at your states in any questionable situation and kill the state if it remains open. So something "automagically" happening is bad practice.

HansSolo

Your Watchguard rep is incorrect.
Place your bets now.

I'm being slowed down in responses to your questions due to 120 second rule. Can that get lifted please so I can answer?