Firewall schedule rule - existing connexions not dropped



  • I am running on:
    Netgate SG-1000
    Version 2.4.0-BETA (arm)
    built on Sat Jul 08 11:20:00 CDT 2017
    FreeBSD 11.0-RELEASE-p10

    I have some firewall rules rejecting packet according to a schedule.
    The schedule defines the period(s) where the packets should be rejected.

    The rules works properly for new connections.

    For existing connections I would like to have it apply the following setting in "System/Advanced/Miscellaneous" to existing connexions that would be refused by these rules:

    "Schedule States Do not kill connections when schedule expires
    By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections."

    My understanding is that the above setting only applies to connections that are passed by the scheduled rule and not to connections that are denied by the rule.

    I suppose that the suggestion would be to invert the rule: pass the packets on the complementary schedule.

    However, I can not do so given the issue with traffic shaping (https://forum.pfsense.org/index.php?topic=133320.0).
    Putting the traffic shaping rules first in the LAN rules would pass packets that should be blocked.
    Putting the schedule first as a passing rule would stop the traffic shaping rules from being applied.

    Any other suggestions?



  • Perhaps put the schedule on all the shaping rules themselves?



  • In this setup that can work.  I will try it.



  • I've added the schedule to the other rules, duplicated the default LAN pass rule and added a schedule to it.

    Seems operational  :D .


Log in to reply