Increase Schedule Based FW Rules To 5 Minute Intervalls
-
G'day mates ;-)
I have to make schedule based firewall rules to be more fine granular, e.g. down to 5 minutes intervals for a customer of mine.
I see the backend already allows me to set timeranges such as 01:23-13:37.I think the job that calls the packet filter rules update only runs every X (15?) minutes, so there is currently some precision lost. Not sure how the mechanism works, this is me guessing.
So I'd highly appreciate if you could point me in the right direction, maybe also briefly describe how the underlying mechanism works and which components are involved.
Thank you and best regards,
Ernesto -
afaik the rules are immediately put on place,
the problem is if you still have active state at, for example, 13:37 , they are still valid and not killed so you need to kill the states for that rule if you want it to be immediately effective
so only new states are blocked at 13:37 but the old one that are still active and valid are not blocked until they expire -
Well, I there must be a mechanism that puts the rules in place or removes them according to the schedule. Because they are either visible in:
pfctl -s allor they get completely removed when inactive.
-
Maybe just adding your own cronjod for
/etc/rc.filter_configure_syncwith whatever intervals you need would be simplest.Assuming you are setting the time ranges manually.
Steve
-
Well, in the end this was super simple. There is also a cron section in $config and it's pretty straight forward, e.g.:
pfSense shell: print_r($config[cron]); ... [7] => Array ( [minute] => 0,5,10,15,20,25,30,35,40,45,50,55 [hour] => * [mday] => * [month] => * [wday] => * [who] => root [command] => /etc/rc.filter_configure_sync ) ...and the schedule
print_r($config[schedules]); ... Array ( [schedule] => Array ( [0] => Array ( [name] => AccesTimes [descr] => AccesTimesDesc [timerange] => Array ( [0] => Array ( [position] => 1,2,3,4,5 [hour] => 7:50-9:15 [rangedescr] => ) [1] => Array ( [position] => 1,2,3,4,5 [hour] => 9:40-11:05 [rangedescr] => ) [2] => Array ( [position] => 1,2,3,4,5 [hour] => 11:25-12:50 [rangedescr] => ) [3] => Array ( [position] => 1,2,3,4,5 [hour] => 12:55-15:15 [rangedescr] => ) [4] => Array ( [position] => 1,2,3,4,5 [hour] => 15:30-16:55 [rangedescr] => ) ) [schedlabel] => 5dd4268dea560 )I must have been blind not to see that in the first place :p
-
You probably only need that to run at minute 15 and minute 50 which might save some unnecessary churn.
Unless you plan to add more rules.Steve
-
Small update I want to share here for reference. It happened, that the cron job 7 got reset to run only at the default times 0,15,30,45. So my next try is, to add an additional job (8) which covers the missing times:
$config[cron][item][8] = []; $config[cron][item][8][minute] = "5,10,20,25,35,40,50,55"; $config[cron][item][8][hour] = "*"; $config[cron][item][8][mday] = "*"; $config[cron][item][8][month] = "*"; $config[cron][item][8][wday] = "*"; $config[cron][item][8][who] = "root"; $config[cron][item][8][command] = "/etc/rc.filter_configure_sync"; write_config(); exec; -
@ErnestoRey perhaps you could use the 'cron' package instead of manually editting the config?
