Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Fixing old schedule 'bug'

    Firewalling
    2
    2
    90
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mururoa
      last edited by

      As you may know there is a problem with the schedules and states.
      When you have a rule that allows anything from 8 to 10 and you have not set 'Do now kill connections when schedules expires' in System/Advanced/Miscellaneous then a 10 the current connections are NOT cut. Only new connections cant be established. So you have to go to Diagnostics/States/Reset States to manually reset state table so the connections that should be dropped at 10 are effectively dropped.
      This is a long lasting bug since many versions of pfsense or maybe since the beginning. You can find many threads about that.
      As a workaround what can I put in a cron to act like manual reset states ?

      1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan
        last edited by

        This issue still exist ??

        The GUI does seem to do what is needed :
        When at least one scheduled rule is present, a cron task is inserted :

        b6c98033-7059-4533-b004-372c69d7dec2-image.png

        This executes the huge function filter_configure_sync(...) - see line 228 i /etc/inc/filter.inc.
        This function does look for firewall rules that are marked as scheduled, and have an internal chedule ID like :

        schedlabel>5f1ec9b057e66</schedlabel>

        For each label is called :

        /sbin/pfctl -y {$sched['schedlabel']}

        which, I guess, should take care of enabling or disabling the rule, and if disabling, take care of existing firewall states. Btw : I would guess that removing a firewall rule should also remove all the related states .

        Or, when I ask Google : "what is the man page of the FreeBSD pfctl" to see what this -y option is all about, I wind up with nothing : no "-y" parameter is known.
        Is -y a 'pfSense' added thing ?

        Anyway, Issues like https://redmine.pfsense.org/issues/9615 are probably still 'open'.

        Diagnostics/States/Reset States to manually reset state table ...
        That will kill all states .... not the perfect solution. But probably all you have.

        Sorry, no answers from me, just me looking surprised as I'm not using scheduled rules, but I recall this was an issue ones.
        It probably still is (?)

        Btw : I do recall that there was some work around like :

        Rule N : the scheduled Pass rule.
        Rule N+1 : an identical non scheduled rule that blocks.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • First post
          Last post