Firewall Rules Scheduling doesn't drop open Connections



  • Hi – I'm trying to setup a rule to block connections after a certain time.

    I've managed to do it where it blocks new connections, but any open/persistent connections do not get dropped/closed.

    Is there a way to drop those connections once the schedule goes into place?

    Here are my rules;

    http://i.imgur.com/8a34TPA.png - Block Rule
    http://i.imgur.com/SC2Fgtn.png - Advanced Options of Block Rule (1)
    http://i.imgur.com/6PYxgzv.png - Advanced Options of Block Rule (2)
    http://i.imgur.com/fxnnj3V.png - The Schedule

    Is there any way to make it so once the schedule comes into place it drops ALL the connections for the user?

    Cheers.



  • pfSense drops connections permitted by scheduled rule when the schedule goes into place. But a block rule as yours does not permit any connection.

    So if you want the schedule to get work and drop connections when the schedule time expires, you must reconvert your setup to a scheduled pass rule.



  • Sorry for being a pain, can you expand?

    Maybe tell me how I do this?

    I'm not too sure what you mean?



  • Only connections which are allowed by a particular scheduled rule can be dropped. You've set a block rule, but block rules do not allow connections. The connections you want to drop are presumably allowed by an allow-any-to-any rule which follows below, but this one is not a scheduled rule in turn.

    So the best way to set this up, depends on your whole LAN rule set.
    However, to be on the safe side, you may copy the scheduled rule by hitting the copy-button at the right. On the rule edit page go down and set the schedule to none and save it. Now you have just a block any rule for Shale.
    Then edit the upper (original) rule, change the action to pass and save it.
    Now you have only to modify the schedule InternetOff, delete the time ranges and set a new range for the allow internet time, every day 7:00 to 20:00.
    In fact the schedule has now the wrong name, but it should work this way, since now the connections from Shale are permitted by a scheduled rule and will be dropped when it expires.



  • Thank you for that reply.

    I think I've done it how you suggest?

    http://i.imgur.com/3SRCyld.png - LAN Rule Overview
    http://i.imgur.com/n68CxRz.png - Schedule Overview
    http://i.imgur.com/S1n7xa2.png - 7AM - 8PM Block

    Is there anything else I need to do, to make it drop all connections after 8PM (So the internet doesn't work on his devices)

    Thanks again,
    Amos.



  • EDIT:
    8PM Just rolled around and it didn't even work the slightest bit. Didn't even break new connections it's like the rule didn't even go into effect.

    I'm really struggling to do something that should be really simple. Why is it so hard to just create a firewall rule to block the internet passed a certain time for certain users?



  • No man, you're missing the block rule for Shale now. That rule set would not block anything.

    I've suggested to copy the scheduled (block) rule and remove the schedule option from the copy. So a block rule for source Shale would remain.

    What does the second rule with source = Shale? Seems to be just a limiter rule for the same thing. You may add the limiter to the scheduled rule and delete this one. There no need for an extra rule.

    Anyhow, you need a block rule with source = Shale. Create this one and put it underneath the last pass rule for Shale.

    pfSense checks packets to fit to a rule from the top to the bottom. If a rule matches (source IP + port + dest IP + port) the rule is applied and other rules are ignored.
    So if the scheduled rule is not active it goes to the next one. Therefor you need the block rule underneath, otherwise the default allow rule would be applied (if Shale is part of LAN net, what I guess).



  • Rule #2 - Should be a block rule, and it should be enabled from 8PM-7AM
    Rule #3 - Is fine, it will tally bandwidth used by Shale when the rule above doesn't fire
    Rule #4 - Allows anyone else out regardless of what Rule #2 is doing.

    Your present setup doesn't work because:

    You have NO blocks
    When Rule #2 is ON, the bandwidth counter doesn't work.

    You might wish to enable logging on all these rules for a bit and watch what happens-you likely would have solved your own problem.

    AFAIK, If Shale is on Youtube (or whatever), at 7:59:59, it won't cut him off until the firewall states clear.
    Once a rule triggers, it opens a state, and that state stays open until it's cleared or it times out, so he has an open state, and keeps surfing the same site, it will never close.

    Someone a bit more advanced that me might be able to tell you what to do about it.  The really dirty way is simple to trigger ( Diagnostics / States / Reset States ), but that will break any/all connections that are open at 8:00PM which may not be good…




  • Let me know if this is now correct then?

    http://i.imgur.com/EGnLMJR.png - BLOCK Rule 1 (No Limiter)
    http://i.imgur.com/mFWphF8.png - PASS Rule 1 (With Limiter)

    Thanks for your help – I'd still be great if we could drop any state live from 'Shale' without dropping every open state.



  • I'll give it up. Sorry.



  • @MrAmos123:

    Let me know if this is now correct then?

    http://i.imgur.com/EGnLMJR.png - BLOCK Rule 1 (No Limiter)
    http://i.imgur.com/mFWphF8.png - PASS Rule 1 (With Limiter)

    Thanks for your help – I'd still be great if we could drop any state live from 'Shale' without dropping every open state.

    Sorry I can't help you with the drop states…

    I'd post this as a separate question - dropping states with scheduled block rules-maybe it's already handled someway. 
    If not, I suspect you likely need a script running on a CRON job.  You might ask in the developer forum for ideas.

    Your rules look good from what I can see... the table form is much easier to figure out what is going on since most of the rule screen isn't used.

    I don't think you need a schedule on the limiter rule.  Just put the block rule first in the chain.  If block is on and is matched, the pass rule won't be seen.

    EDIT:
    I just saw this post https://forum.pfsense.org/index.php?topic=77168.0… didn't read in detail, but I think your answer might be here.

    If you do find a solution please make sure to post it and mark your thread [SOLVED] so it becomes a resource for others.



  • So did you get it working?