Temporary allowed connections



  • Desperately need a way to TEMPORARILY approve connections. Many times I need to provide a hole through the firewall for one time transactions for example. All other firewall platforms that I know of have the option to ALLOW a connection for a limited amount of time.....15 minutes, 1 hour etc.

    Right now all pfsense allows is either NO connection or PERMANENT connection.

    alt text

    Is there a way to do this with pfsense?

    If not, that's very disappointing.


  • LAYER 8 Global Moderator

    Look a scheduler... Its in the rules advanced section. and you create the schedules..

    Please name these other firewalls that allow for firewall rule for 15 minutes. I have worked on many a firewall over the years and have never seen such a thing.. Most of them do have schedules you can setup which pfsense has as well. But never seen a thing where I could create a rule that is only good for the next hour, sort of thing..

    So what firewall allow connection for 15 minutes... Please post a screen show of this feature.



  • The closest you will get is to create a schedule and then link it to a firewall rule, I think.

    Edit: ninja'd by John



  • @johnpoz
    Seriously???

    ALL Watchguard firewalls can do that (except the hobby, home ones)


  • LAYER 8 Global Moderator

    Post up the screenshot of this rule creation... Watchguards not used in the enterprises I support... Can tell you right now that juniper srx doesn't do it!

    its a schedule you can setup.



  • @johnpoz said in Temporary allowed connections:

    Post up the screenshot of this rule creation... Watchguards not used in the enterprises I support... Can tell you right now that juniper srx doesn't do it!

    its a schedule you can setup.

    No.
    On ANY Watchguard X-Core, and above you can select to allow a connection for 15 minutes or 1 hour. It's SUPER simple and is a real convenience.

    You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?
    Setting up schedules is crazy and a total PITA for this. Sketchy.



  • Then use a Watchguard instead of bitching or being passive-aggressive.



  • @KOM said in Temporary allowed connections:

    Then use a Watchguard instead of bitching or being passive-aggressive.

    You need to calm down pal. I'm just making it better.
    This is a simple thing that is much needed and extremely convenient.
    People too tender to take constructive criticism or needing safe spaces don't belong on public forums.



  • @HansSolo said in Temporary allowed connections:

    You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?

    Very rarely if ever.. I would not spend a second of anyone else's time to design this into a product. It's to easy just to turn off the rule when its no longer needed.


  • LAYER 8

    personally i never had the need of such a thing, as they already told you, unfortunally there isn't such a feature but you can ask for it to be implemented here https://redmine.pfsense.org/projects/pfsense/
    maybe with some luck ...



  • I remember you now. You're the guy who I had to argue with over simple networking concepts.

    "This is a simple thing"

    Well then, code it up and submit the patch. After all, it's simple.

    "that is much needed"

    By whom? You? I don't recall anyone else asking for this in the five years I've been here.

    "and extremely convenient."

    If you needed such a feature. Most companies I've dealt with don't need holes punched in their firewalls on a regular basis.


  • LAYER 8 Global Moderator

    Where exactly in the watchguard when you create your policy for your rule is there a place to do this... I do not see anything like your talking about..

    Your saying you can click on watchguard firewall log on something that was blocked and allow it for 15 minutes?

    How and the F is that going to work when the nat has not even been setup on a port forward, etc. etc..

    Still waiting for the screenshot or link to docs for watchguard that allows you do what your asking. Cuz such and option has really ZERO use case in the enterprise... Before something is allowed through a firewall there is change control that has to be done.. You can not just click on something to allow it for 15 minutes..

    Your wanting to allow user outbound somewhere on port 443.. That would be done on the PROXY in the enterprise, not firewall.. Then sure users that are blocked by policy normally can just override with a password for X number of minutes, etc.

    Such stuff is not done on a L3 firewall!



  • @KOM said in Temporary allowed connections:

    I remember you now. You're the guy who I had to argue with over simple networking concepts.

    "This is a simple thing"

    Well then, code it up and submit the patch. After all, it's simple.

    "that is much needed"

    By whom? You? I don't recall anyone else asking for this in the five years I've been here.

    "and extremely convenient."

    If you needed such a feature. Most companies I've dealt with don't need holes punched in their firewalls on a regular basis.

    This is not magic or rocket science dude. ANYONE using the Internet and has a firewall sometimes might need to connect to a possibly sketchy site. Like buying something from an unknown vendor or connecting to a new website that you're not sure is authentic or bogus etc. Why would you allow a PERMANENT connection you're not sure of ??

    Seriously???


  • LAYER 8 Global Moderator

    Again this not done on a firewall in the enterprise - that is done at the proxy!!

    Are you running proxy on pfsense?



  • @johnpoz said in Temporary allowed connections:

    Again this not done on a firewall in the enterprise - that is done at the proxy!!

    Are you running proxy on pfsense?

    No. And I'm blown away that you guys don't know about doing this.
    Seriously dude.

    I'm wondering now if maybe you and kom have completely misunderstood me.

    Did you see the picture I posted in the OP ?


  • LAYER 8 Global Moderator

    Yeah see the picture... Sorry but that would never in a million years happen on an enterprise firewall!

    There is no scenario where that would happen... Only the smallest of the smallest mom and pop shops would allow their firewall admin to just click shit to allow open without change control.. Or a ticket atleast, etc. etc.

    But sure in the proxy where site gets blocked because its listed in wrong category, etc. you would correct the category... Or user might be able to allow shopping sites during their lunch break, etc..

    I think you have a lack of understanding of how network and security controls work in the enterprise to be honest.. In the 10 some years I have been here - I do not recall anyone ever asking for such a thing either.



  • I don't think you're getting it. We understand the feature you're asking about. We're telling you that this is generally not required for an enterprise firewall but you refuse to accept it. And were not even sure what traffic you're talking about. You mention buying something online, so I assume you mean http/s? You want a rule to allow tcp80,443 access on a temporary basis?



  • @chpalmer said in Temporary allowed connections:

    @HansSolo said in Temporary allowed connections:

    You mean to tell me you, as a firewall expert, don't see the need for this? Seriously?

    Very rarely if ever.. I would not spend a second of anyone else's time to design this into a product. It's to easy just to turn off the rule when its no longer needed.

    Huh?
    It's easier to go in and do three or four steps instead of ONE ? And then, remember to go back later and do three or four more?? Since when?



  • Just called my Watchguard rep and he thinks that your incorrect. He is going to check though.

    One big issue I see is that just because you end a rule in a stateful firewall does not mean your connection to that destination is going to cease. You need to look at your states in any questionable situation and kill the state if it remains open. So something "automagically" happening is bad practice.



  • Your Watchguard rep is incorrect.
    Place your bets now.

    I'm being slowed down in responses to your questions due to 120 second rule. Can that get lifted please so I can answer?


  • LAYER 8 Global Moderator

    Yeah let me click the temp allow user x to flood the board for 15 minutes button... Wait that is not there - what the F!!! Every other forum software on the planet has that ;)

    I am betting on the rep ;)



  • @johnpoz said in Temporary allowed connections:

    Yeah let me click the temp allow user x to flood the board for 15 minutes button... Wait that is not there - what the F!!! Every other forum software on the planet has that ;)

    DON'T GET PASSIVE-AGGRESSIVE WITH ME DUDE !! lol

    I thought it could be on a per user basis.



  • Seriously,
    Not everyone who uses pfsense is in an Enterprise environment. I doubt most are.
    I know that your revenue comes mostly from that tho so I can somewhat understand not including features that might not be needed outside an Enterprise enviro.


  • LAYER 8 Global Moderator

    Again in what world do you live in that such feature would make sense ;) Just like click on blocked rule.. But allow thing for 15 minutes thing has zero use in the enterprise... But watchguard has it?

    I think maybe there is something to allow access via their proxy rules, not their firewall rules. You understand the watchguards do proxy as well as just L3 firewall rules.



  • @HansSolo said in Temporary allowed connections:

    Your Watchguard rep is incorrect.

    He has sold more firewalls than he can remember and this question has never come up. If it is there then nobody is talking to him about it. I asked him as if I was looking and he says "why?" LOL



  • @johnpoz said in Temporary allowed connections:

    But watchguard has it?

    I don't personally consider Watchguard enterprise grade myself.


  • LAYER 8

    sadly 120 sec it's the minimum to digest bullshit sorry but this time i can't stop laughing ๐Ÿ˜‚ ๐Ÿ˜‚



  • Alright, this is getting stupid now. The feature doesn't exist in pfSense and he has the only workaround. The end.


  • LAYER 8 Global Moderator

    @chpalmer very true... I have never seen it used in any enterprise we have ever supported..

    In a mom and pop shop, you click the eazy rule... And then 15 min later or 1 hour later you delete the rule... How freaking hard is that?? I mean really?



  • @kiokoman said in Temporary allowed connections:

    sadly 120 sec it's the minimum to digest bullshit sorry but this time i can't stop laughing ๐Ÿ˜‚ ๐Ÿ˜‚

    Are you saying it's normally incoming or outgoing ?
    You only needed 10 seconds to share yours
    ๐Ÿ˜‚ ๐Ÿ˜‚ ๐Ÿ˜‚ ๐Ÿ˜‚



  • @johnpoz said in Temporary allowed connections:

    @chpalmer very true... I have never seen it used in any enterprise we have ever supported..

    In a mom and pop shop, you click the eazy rule... And then 15 min later or 1 hour later you delete the rule... How freaking hard is that?? I mean really?

    Suture yourself.
    Some other software firewall (opensense) WILL include it and then they'll have just one more reason not to use pfsense.
    Juuuuuuust sayin.

    Not everyone who uses pfsense in necessarily is an environment that pure enterprise. I got no dog in this fight. Just pointing something out. You guys are Sooooooo sensitive to suggestions. lol


  • LAYER 8 Global Moderator

    Yeah they will be leaving in droves flocking to that feature that zero people need ;)

    Still waiting for the screenshot where you do this in watchguard, which you said it does... I placed my bet on the rep that says it doesn't..

    You are more than welcome to code that up since its so easy, and submit the PR...



  • @johnpoz said in Temporary allowed connections:

    Yeah they will be leaving in droves flocking to that feature that zero people need ;)

    Still waiting for the screenshot where you do this in watchguard, which you said it does... I placed my bet on the rep that says it doesn't..

    when KOM's rep gets back and says it does...be man enough to admit it ok? ๐Ÿ˜Ž



  • @HansSolo said in Temporary allowed connections:

    If not, that's very disappointing.

    I believe it started when you scolded the product like a young child..


  • LAYER 8 Global Moderator

    If they do allow it - it sure not in their create policy documentation that is for sure ;) Why should we have to wait for his rep? You are sure they do it - so you don't have access to a watchguard that you can take a screenshot showing it?



  • @chpalmer said in Temporary allowed connections:

    @HansSolo said in Temporary allowed connections:

    If not, that's very disappointing.

    I believe it started when you scolded the product like a young child..

    Seriously?
    "Scolded the product" ? LMAO.
    That's what consumers do mate !!
    Imagine if every company folded because they got "scolded" HAHAHAHAHA !!!!

    You guys need a tougher hide. ๐Ÿ˜ˆ



  • @HansSolo said in Temporary allowed connections:

    Suture yourself

    /r/boneappletea

    I must admit that I am impressed with how quickly you can manage to piss off senior members here. Frankly, nobody really cares if Watchguard has that feature or not since it's moot. pfSense doesn't have it, so if that feature is critical to you then I guess you will be using a Watchguard and have no more need of pfSense.



  • @johnpoz said in Temporary allowed connections:

    If they do allow it - it sure not in their create policy documentation that is for sure ;) Why should we have to wait for his rep? You are sure they do it - so you don't have access to a watchguard that you can take a screenshot showing it?

    I do and I can....I'm lazy....waiting for KOM's rep to say I was right ๐Ÿ˜œ




  • LAYER 8 Global Moderator

    I don't think any one is opposed to adding such a feature - if there was actual call for it.. Never seen such a request before that I recall... So its not like the users of pfsense are beating the drums demanding this pretty much useless feature..

    If you want it - then code it... Or your more than welcome to switch over to something that does it.. Like this watchguard.. Yeah last time I checked their pricing was right in line with pfsense being FREE ;)

    edit: Well clearly your not from what he posted, you do it via schedules - just like you do on pfsense, just like you can do on juniper SRX, etc. etc.


Log in to reply