Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UDP state persists after scheduled allow rule expires

    Firewalling
    3
    6
    481
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WanTime
      last edited by stephenw10

      i have doing this for a few days and testing, i might be misunderstanding but this is what i am trying to do.

      i have been trying to have a scheduled allow rule that when it expires drops all connections/staes, for my kids pc, but i have found out that he can keep playing cs go after midnight, he will stop when he notices its past midnight but i just want it to be a clean cut off.

      the drop states action works as intended the ip can't start any new connections but another udp state is made for cs go from the firewall to the client allowed by default allow rule below but after the client > firewall state got dropped by the end of allow rule.
      the rules are disabled right now for testing
      alt text

      ie (rule 89)
      #let out anything from the firewall host itself and decrypted IPsec traffic
      pass out inet all keep state allow-opts ridentifier 1000005715 label "let out anything IPv4 from firewall host itself"

      so the connection is reestablished from the firewall to pc and keeping going and is not blocked because its coming from the firewall it self. rule 103 is the allow rule
      alt text

      after the allow rule expires. the direction of the connection switches on lan side
      alt text

      is a float rule blocking traffic from firewall to lan client ip my best bet or moving all rules to be floating rules so they are bidirectional in effect.
      just trying to make a clean cut off time and all states stop.

      thank you any input would be helpful.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @WanTime
        last edited by

        @WanTime said in udp state priests after scheduled allow rule expires:

        i have been trying to have a scheduled allow rule that when it expires drops all connections/staes, for my kids pc,

        There is an option in the system advanced firewall settings which instructs pfSense to kill the states, when a schedule expires.

        W 1 Reply Last reply Reply Quote 0
        • W
          WanTime @viragomann
          last edited by WanTime

          @viragomann i checked, the option is set to let them expire.

          alt text

          the states are expiring/dropped and the ip/pc can't start new, but one udp state reestablishes from the firewall side, to replace the one that dropped from host side.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            A floating outbound rule on the LAN should work for this. You would also need a floating outbound block rule on LAN to prevent the default rule opening a new state though.

            W 1 Reply Last reply Reply Quote 0
            • W
              WanTime @stephenw10
              last edited by

              @stephenw10 just to be clarify would you recommend just adding the floating rule on top of my existing non floating rules on lan, just to combat the udp issue or consolidating on floating rules only for even the scheduled allow plus always block rule for the host/ip in question to have clean cutoff.

              just seeking the most optimal way to do it, with the least amount of rules.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Any outbound rules can only be floating. Adding the inbound scheduled rules as floating rules means you can put them all in the sane place which makes managing them easier.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post