Rules based on schedules don't seem to take effect
I've got a rule on the LAN interface that blocks outbound access to the WAN based on a schedule. It has worked for a long time based on past 2.0 beta releases. I just upgraded to the 06-18-2010 release, and the states don't seem to reset anywhere near the schedule.
Any other reports of schedules failing to enforce in recent releases? I've seen the setting in Advanced settings that should turn the state resetting OFF, but the wording seems to imply that the default is to reset states at the schedule onset.
Hmmm, just changed the rule that uses the schedule from an IP alias to a single IP address and it cut my daughter off the Internet (grin).
Possible bug in using aliases for rules? Using June 18 download….
One more update: At about 10:20 AM Pacific, my ~other~ daughter told me that the internet was down. I hopped on her laptop and verified, yes, she couldn't reach the internet, but could ping the internal network. I brought down her wireless and back up, still no routing to the WAN.
The schedule I have to block the kids is from midnight to 5am. I logged into my router. My router's time shows up correctly. The schedule is set up correctly, and not in effect.
I turned off the LAN rule that blocks her IP address only during the schedule, and everything works again.
Something crazy is going on with the rules with respect to schedules. I am not sure that they are kicking in when they should be, and turning off later.
2.0-BETA3 built on Fri Jun 18 15:24:13 EDT 2010
(If it matters, nanobsd running on Alix)
I have been doing more testing, and I don't see anything that is reconfiguring the filter for the schedules, so they are not kicking in.
What is run periodically to check if a schedule is to be activated?
Found that all of the entries in /etc/cron were missing. I hope that the ones that were in my older setup are valid for the BETA3 release (imported from BETA1)
Things seem to be running now. Probably was affecting all 3 of the topics I created this weekend.
After a disastrous weekend of confusing issues, some of which were self-inflicted, some which were due to an upgrade that didn't seem to properly "take", I've decided to start clean.
I chose Beta1, 06-10-2010, clean fresh nanobsd install to a formatted CF card.
Here's the confusing thing: I have a LAN rule that I created that shuts down outbound from my daughter's IP address to the WAN, and a corresponding WAN rule that does the same. It's set up for "any" protocol.
My daughter is on skype, and she talks right through it. She doesn't get blocked out.
There's a new setting that I noticed on "System: Advanced: Miscellaneous", called "Schedule States". Or at least this is the first I noticed it!
It is unchecked, and the description says "By default schedules clear the states of existing connections when expiry time has come. This option allows to override this setting by not clearing states for existing connections."
But it's plain that only new connections are affected by this rule, Skype continues to blast right through it. If I manually reset the states associated with her IP address, then she's off.
Am I expecting too much from this? She used to not use skype, maybe her old apps (mostly ichat) were just expiring more quickly on their own?
Here is the rule set from /tmp/rules.debug (with the IP address of my gateway obfuscated as 220.127.116.11)
block return in quick on $WAN reply-to ( vr1 18.104.22.168 ) from any to $kids schedule "4c2030d0d3628" label "USER_RULE: inbound block" block return in quick on $LAN from $kids to any schedule "4c2030d0d3628" label "USER_RULE"
Let's close this thread.
UPNP bypasses the filter. Doh!