Scheduled rule transitions
-
Hi All,
I use a schedule rule that says that a particular IP does NOT have access after 8pm until 11am.
By chance, I discover that that IP is still communicating after 8pm by looking into the states log, and that PFsense is not killing active states. which I thought it did when the schedule rule has reached 8pm. It does not start more connections (states), but all active connections run fine without being reset or flushed. There was an ESTABLISHED: ESTABLISHED that was never stopped while I was looking through the log.
Does that mean that pfsense isn't killing all active connections when schedule rule starts? If so, what to do about it?
-
@cathal1201 post a screenshot of your rules.
See the note at the bottom.
https://docs.netgate.com/pfsense/en/latest/firewall/time-based-rules.html?highlight=schedule
-
@cathal1201 said in Scheduled rule transitions:
and that PFsense is not killing active states. which I thought it did when the schedule rule has reached 8pm.
It does, when the schedule of a pass rule expires. But you might have set up a block scheduled rule.
A block rule has no referencing states to be killed at all when expiring. -
-
@cathal1201 Like others are saying, you have to change this up a little bit.
Put a BLOCK or REJECT rule on a schedule for this particular IP address. That will work better.
So, your schedule should read from 8PM to midnight, then midnight to 11AM. You have to do it like this, since there is no scheduled time frame that runs thru midnight. Set that up first, then make a new BLOCK rule for the IP address and assign this schedule.
I'm assuming this is on your LAN interface, so move this new rule above the ALLOW LAN to ANY rule, and it should work.
-
Thanks for your reply, but I believe I have at block rule assigned to a schedule. I posted my rules and schedules, and that is exactly what you wrote.
-
@cathal1201
Again, you have to turn your rule into a pass rule. Change the schedule so that it fits to a pass rule.Connection allowed by a scheduled pass rule are deleted, when it expires.
-
@nogbadthebad said in Scheduled rule transitions:
See the note at the bottom.
So have I turned it around? - so that note says that I should have at rule that allows the IP UNTIL a specific time, and when have a block rule to stop traffic in "non allowed times"?
Is that right?
-
Got it. it makes no sense that it is like that, but thanks for pointed it out.
-
@cathal1201 Sorry, it looks like I'm a little behind on the timing of your responses and me typing mine.
Ok, so if that's not working, you can also make the opposite - a pass rule with the time frame you want the IP address to have access. But, in this case, you have to also setup a BLOCK or DENY rule immediately under it, no schedule, for the same IP address.
I'm gonna be honest, it's a little bit difficult to setup a schedule-based rule in pfsense, since it's a stateful firewall, and states aren't necessarily dropped like you/we are hoping. You have to try either one of these methods until you get one to work. In my opinion, it should be a lot easier than this, but it it what it is...