Temporary allowed connections

chpalmer

The only reason we have a Watchguard "rep" is because of small number of sites where we inherited the customer from an over zealous salesman. They are almost all replaced now. Just one more site. :)

https://redmine.pfsense.org/

Grimson

@HansSolo Well the lack of interest when you posted this the first time already speaks for itself: https://forum.netgate.com/topic/143176/feature-request-ability-to-allow-for-limited-time

And for the future:
As @kiokoman already pointed out feature requests need to go on redmine, there you will see whether the developers see it as valid or not. Adding a pull request with an example implementation might speed it up.

If you post something on a discussion forum expect it to be discussed, and ridiculed if it is ridiculous, as most people have (surprise) different opinions and many will not agree with you. Acting childish when people disagree and trying to play the "But <insert random competing product name> has it and is better than you" card will just disqualify you further in that case.

HansSolo

@Grimson said in Temporary allowed connections:

@HansSolo Well the lack of interest when you posted this the first time already speaks for itself: https://forum.netgate.com/topic/143176/feature-request-ability-to-allow-for-limited-time

And for the future:
As @kiokoman already pointed out feature requests need to go on redmine, there you will see whether the developers see it as valid or not. Adding a pull request with an example implementation might speed it up.

If you post something on a discussion forum expect it to be discussed, and ridiculed if it is ridiculous, as most people have (surprise) different opinions and many will not agree with you. Acting childish when people disagree and trying to play the "But <insert random competing product name> has it and is better than you" card will just disqualify you further in that case.

Yes, Good to see you recognized that a few of the regulars here were acting "childish". Good for you.

As far as the "no one interested" comment.....
There are two replies to that thread. So right off the bat you are mistaken.
I had forgotten about that post. My bad for not remembering everything.

As far as the "has it better than you" thingy......

If you want to twist it into that go right ahead. I asked if it was possible then took the time to post an illustration.
Others then said "No other firewall I've ever seen has that"......

So I kindly pointed out which did.

So I'm not sure what you're talking about. I would suggest you carefully read the thread again, just to get things straight.

Kind Regards

HansSolo

@chpalmer said in Temporary allowed connections:

I just got sent this. Rep said "Its done under schedules" Looks familiar. You guys can run through these pages if you want. Im not.

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/operating_sched_set_c.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/policy_properties_about_c.html

I don't think it's under schedules in the Management System I have which is an older one. But still, it's there.
A VERY convenient feature.

I think most here view pfsense as a Huge Operation only firewall, but I'm fairly certain that's not the case.
I would venture a guess that more NON-Enterprise environments are using pfSense than Enterprise.

That said, I also realize it's the Enterprise environs that pay the bils

HansSolo

@KOM said in Temporary allowed connections:

The converse, of course, is that a wise user doesn't come into the forums and immediately start negging the product. If you would have just asked your question without implying that pfSense sucks because it doesn't do this thing that every other firewall in the world does (but not really), and it's soooooo disappointing, you would have avoided all this heat.

BTW part 2, no "story" changed. It was chpalmer that said he talked to his rep so I'm not sure what you're going on about. Look at the damned thread.

Actually, I'm done. Done here and done with you.

Yup. I did make that mistake. My bad.
But again, you really shouldn't get that ballistic over an honest mistake.

You were (in my opinion) wrong to say what you said....
(About the "bitching" and I could stop using pfsense)

Am I the first to ever ask about a feature that you felt was unnecessary? Will I be the last?
Am I the first make a complaint? will I be the last?

You are obviously a very sensitive person. if you go back and read the thread again carefully, you'll see all I did was ask about how something might work. I kinda got punched and ridiculed over it somewhat (but that's fine, no worries)

Anyway, it's a shame you threw in the towel. I'm sure you have some good information that could be helpful.
Lucky for me, I'm pretty much past the point of needing help. Truth be told, it's not the first time I sensed your uber sensitivity. So, all told, it may be best as you did (throw in the towel with me)

Good luck to you. I personally harbor no hard feelings even though you did basically told me to F-off right off the bat.

Gertjan

Something is missing in this thread.
pfSense has this option called 'Captive portal'. Create some "15 minute" vouchers and your done.
The 'scheduling' behind it will take care of all the 'rules'. When show-time is over, connections are stopped. States are destroyed. Nothing passes anymore.
They will get blocked after 15 minutes sharp, or even 19 m. max, but it delivers. Rock-solid.

Some user interaction is needed, true.
For the admin this is an easy task, that's for sure.

Btw : I'm using pfSense for an 'entreprise'.

edit : @HansSolo : I guess that you know that the Captive portal exists.
Just so I understand the issue, why would you want to 'permit' a device to connect for 15 minutes ?

chpalmer

@HansSolo said in Temporary allowed connections:

So I kindly pointed out which did.

Actually guy.. You insinuated that Watchguard does but offered no proof that it actually does. In fact our rep claims it doesn't other than with schedules which is pretty much identical to what pfsense does. Besides unless a schedule kills the states its worthless for existing connections.

IMHO it would be a really bad thing to implement for at least one reason I stated above. You and others are welcome to disagree with me.

Yes, Good to see you recognized that a few of the regulars here were acting "childish". Good for you.

There you go again assuming and making disparaging comments. Stop it!

Desperately need a way to TEMPORARILY approve connections.

This is your first sentence in this thread. It is crafted in such a way (kinda the way the news media does) to make it seem like others besides you need this option. Maybe you didn't mean it this way but others coming along could take it that way. It should read-

"I would like to have a way to.." Because I cannot believe you are "desperate" to have such an option and at this point in my over ten years here I have never seen a post from anyone else asking for such an option.. Questions about scheduling come up all the time.

You do have a history here. Many people in this thread have talked to you before and thus may bring over a little frustration from the past. At this point you have 103 posts on this forum but only one reputation point. That is telling.

Kom on the other hand has over 7100 posts and a whole lot more reputation points.

Real simple. Go to firewall rules. Click the on off button on your rule and then click the apply button. When your done reverse the process and your done. Easy peasy.

Good luck!

HansSolo

@Gertjan said in Temporary allowed connections:

Something is missing in this thread.
pfSense has this option called 'Captive portal'. Create some "15 minute" vouchers and your done.
The 'scheduling' behind it will take care of all the 'rules'. When show-time is over, connections are stopped. States are destroyed. Nothing passes anymore.
They will get blocked after 15 minutes sharp, or even 19 m. max, but it delivers. Rock-solid.

Some user interaction is needed, true.
For the admin this is an easy task, that's for sure.

Btw : I'm using pfSense for an 'entreprise'.

edit : @HansSolo : I guess that you know that the Captive portal exists.
Just so I understand the issue, why would you want to 'permit' a device to connect for 15 minutes ?

Gertjan,
Thank you for this very helpful post and your input.

Sometimes in the course of research for example, where I'm trying to get an apache configuration to work, or something like that where I'm inside the network and need to make multiple outbound connections, sometimes I come across links where I say to myself "ok, this site looks as though it might have good information, but it's in Brazil or China so I don't want to give permanent outgoing or incoming permanent permission to that IP address until I'm sure"

In those cases, I'd like to just give temporary permission to make the connection quick and easy, without having to remember to go back and change the rules later. I might forget. and if there are a lot of such connections, it can get tedious.

Am I going about it wrong?

HansSolo

@chpalmer said in Temporary allowed connections:

@HansSolo said in Temporary allowed connections:

So I kindly pointed out which did.

Actually guy.. You insinuated that Watchguard does but offered no proof that it actually does. In fact our rep claims it doesn't other than with schedules which is pretty much identical to what pfsense does. Besides unless a schedule kills the states its worthless for existing connections.

No, it was not an insinuation....I STATED the fact. and I stand behind it.
Someone pointed out they contacted their WG rep for and answer....was that you? Did you get it? what difference is it going to make when I spend the 45 minutes to reconnect that box, get all those screen shots, post them to Photobucket and then link them here? Please tell me. waiting......

@chpalmer said in Temporary allowed connections:

IMHO it would be a really bad thing to implement for at least one reason I stated above. You and others are welcome to disagree with me.

I disagree, for the numerous reasons I stated. see how opinions differ? who's is right or wrong?

@HansSolo said in Temporary allowed connections:
Yes, Good to see you recognized that a few of the regulars here were acting "childish". Good for you.

Clearly, there is some bias on the part of members here. Fully expected. While this may seem to you personally and certain others like I'm being an ass, someone on the outside with no dog in the fight might see it the way i do. Any "childishness" I exhibited was in RESPONSE to others who acted so first. Please, just read the thread without bias if possible.

@chpalmer said in Temporary allowed connections:

There you go again assuming and making disparaging comments. Stop it!

But you can't see that he did first? lol. yeah, no bias at all. Hint: You agree with his POV. Doesn't make it right or wrong.

@HansSolo said in Temporary allowed connections:
Desperately need a way to TEMPORARILY approve connections.

@chpalmer said in Temporary allowed connections:

This is your first sentence in this thread. It is crafted in such a way (kinda the way the news media does) to make it seem like others besides you need this option. Maybe you didn't mean it this way but others coming along could take it that way. It should read-
@chpalmer said in Temporary allowed connections:
"I would like to have a way to.." Because I cannot believe you are "desperate" to have such an option and at this point in my over ten years here I have never seen a post from anyone else asking for such an option.. Questions about scheduling come up all the time.

"Crafted" Oh wow. For me, this is the case. I didn't post this for everyone else. Believe it or not, I personally find this feature extremely useful. obviously you do not. Some will some won't. again, what I am "guilty" of? Please explain.
The real problem here is when regulars go off on someone for a suggestion or question just because they don't see it as useful. That sucks. Again, you see it from an insiders POV.

@chpalmer said in Temporary allowed connections:

You do have a history here. Many people in this thread have talked to you before and thus may bring over a little frustration from the past. At this point you have 103 posts on this forum but only one reputation point. That is telling.

I have what kind of "history" ? What are you trying to say? I'm some kind of evil troll? Ok, offer proof.
More often than not, I have PRAISED pfsense and the efforts that have gone into it.
I respect that untold hours have been put into it. And I am grateful that it offered at no cost. If I come over as non-appreciative then for THAT I am truly sorry.
I am the FIRST person who would DONATE to the cause. I looked for a donation link and couldn't find one.

@chpalmer said in Temporary allowed connections:

Kom on the other hand has over 7100 posts and a whole lot more reputation points.

KOM I'm sure is a good person. sensitive, but that's fine. I'm not worried about points. My only concern is accomplishing my goals. We have a president who gets no points and actually catches hell on every front. The nature of human beings. Get over it. Sleep will not be lost even if I get negative points at any given forum..

@chpalmer said in Temporary allowed connections:

Real simple. Go to firewall rules. Click the on off button on your rule and then click the apply button. When your done reverse the process and your done. Easy peasy.

Very tedious. What if I have 20 of them at a time? sometimes happens. also, I absolutely certain it's not just me. just because no one else has mentioned it. Again, you think enterprise Only, but a LOT of people using this firewall are not using it in an enterprise environ.

@chpalmer said in Temporary allowed connections:

Good luck!

Same to you.

chpalmer

@HansSolo said in Temporary allowed connections:

.I STATED the fact. and I stand behind it.
Someone pointed out they contacted their WG rep for and answer

Yes that was me and my Watchguard person disagrees with you. I posted that twice before but you may have missed it.

what I am "guilty" of? Please explain.

I didn't say you were guilty of anything. In fact I used statement such as "Maybe you didn't mean it this way" and "I cannot believe". Please do not spin anything I say as if Im accusing you of anything.

You are accusing others of being sensitive when I believe you yourself may be so. IMHO.. There- now I accused you of something- or did I?

Very tedious

I don't agree. I think asking someone else to build this option into this or any project that no one else seems to want would be very tedious for them just to do for one or two people (and right now its a stretch in my book to say two). What I proposed is actually quite simple. You create one "allow all" LAN rule for your machine and put it at the top of your LAN rules. Turn it on when needed and turn it off when not needed.

I provided the link for you to go initiate the request for your buttons however if you wish to go ask. Its up in an earlier post.

Most home users would not be doing what you claim to be doing. (blocking access from your network to other countries) You and those who do seem to be the minority. Most home users would be relying on their client installed antivirus and malware blocking programs and wouldn't really care if their stuff connected over seas. Seems to me that you believe there is more malware being distributed by other countries than the US when I bet you would find that more comes from here from unpatched and forgotten servers that the owners just let sit there and create heat. Really doesn't matter where most comes from but that it is available in every country in the world and all you have to do is connect to the right server with an unpatched or unprotected client device.

I wonder how many people are still using NAT only routers believing in security through obscurity?
If you are doing enterprise type work on your home network then you should probably think about stepping up to enterprise thinking when it comes to your home network.. But hey- that's just me.

HansSolo

@chpalmer
Fair enough. And finally a post in the thread without sarcasm or malicious talk. Thanks

I won't argue with most of what you said. although I do think more people than you realize do in fact use PfBlockNG to block most foreign countries. First because it is available. Places like Maxmind spend and make fortunes on it.
But I see quite a bit of talk about it on ServerFault and all the other help sites. For me at least, it really does cut down on a lot of the nonsense that triggers Modsecurity and other server protections.
Most of the protections I need are not for PC's but for servers.

But anyway, that your opinion differs from mine is fine. And I can respect that.

I still wish that pfsense had the options listed in the picture in the OP. I'm pretty sure it's very useful to anyone who accesses the Internet from the same network they may have servers on. maybe not so much "Enterprise" Operations.
As suggested, I guess I could take it up to write it in myself. I've already done a good bit of tweaking to the code. But it gets written over on updates.

But again, I'd bet a dime MOST pfsense users are not using it in an Enterprise environment. I have no proof of that.
Probably good advice on the enterprise suggestion. Is that just a different version of pfsense? (ie NOT the Community version?)

I'm glad to see we were able to step it back down to a civil level.

Cheers

HansSolo

KOM....

Sometimes bitter enemies can eventually become best of friends.......stranger things happen.....just a thought

Peace