• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Scheduled rules and existing connections

Scheduled Pinned Locked Moved Firewalling
5 Posts 2 Posters 2.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    andyh
    last edited by Dec 18, 2009, 4:47 PM

    I have a query regarding shceduled rules and existing connections.  I have a rule configured to allow connections to a number of services during a specified time period, for example over a lunch period.

    The schedule works correctly, but I have noticed that any connections established during this allowed period remain active (unless closed by the client application).  This has the effect of any large client updates running during the allowed period will overrun and continue updating into the period where new connections would be dissallowed.

    Has anyone else experienced this and is there a way to prevent this happening, short of manually resetting the states table.

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Dec 18, 2009, 4:52 PM

      Afaik there is a cronjob which runs every 15 minutes to kill still existing states which are no longer valid.
      You could probably decrease the time of this cronjob to kill invalidated states faster.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • A
        andyh
        last edited by Dec 18, 2009, 5:15 PM

        Although the connections in question have now ended, I would imagine their  state would be ESTABLISHED and as such would probably not be cleared by the cronjob.

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Dec 18, 2009, 5:36 PM

          Even if they are established, they should be killed.
          This is the original thread where the functionality of schedules was added:
          http://forum.pfsense.org/index.php/topic,3969.0.html

          Here a short description of how and when states are killed:
          http://forum.pfsense.org/index.php/topic,3969.msg25867.html#msg25867

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • A
            andyh
            last edited by Dec 21, 2009, 11:11 AM

            Just trying to see if my rules are being refreshed by cron, but they don't seem to be refreshed.

            I've just upgraded to v1.2.3 release and the rules still don't seem to be refreshed.  My crontab reads:

            0      *      *      *      *      root    /usr/bin/nice -n20 newsyslog
            1,31    0-5    *      *      *      root    /usr/bin/nice -n20 adjkerntz -a
            1      3      1      *      *      root    /usr/bin/nice -n20 /etc/rc.update_bogons.sh
            */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout
            1      1      *      *      *      root    /usr/bin/nice -n20 /etc/rc.dyndns.update
            */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot
            */60    *      *      *      *      root    /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c
            */5    *      *      *      *      root    /usr/local/bin/checkreload.sh
            */5    *      *      *      *      root    /etc/ping_hosts.sh
            */140  *      *      *      *      root    /usr/local/sbin/reset_slbd.sh
            0,15,30,45      *      *      *      *      root    /etc/rc.filter_configure_sync
            0      0      *      *      *      root    /usr/local/sbin/squid -k rotate
            */60    *      *      *      *      root    /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl today

            Any thoughts?

            1 Reply Last reply Reply Quote 0
            2 out of 5
            • First post
              2/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received