Firewall Rule Schedule



  • Hey guys, did a search and didn't find this topic addressed anywhere. Are there any plans to add a feature to where rules can have schedules applied to them? I.E. a rule with only pass traffic on Monday - Thursday, and all other times deny it, etc etc.

    Regards



  • No, nobody is planning this that I know of (developers).



  • I think this feature would be useful, however pf doesn't allow you to set rules for specific times, so it looks hard to implement.

    It looks like to make this work you would have to have those rules on a separate anchor. pfSense would need a script written and a cron job to parse the rules, see if changes are necessary and then clear out / reload the rules in the anchor. You could probably get the time schedule down to 15 min blocks. Shouldn't be too cpu intensive since most of the time the rules would stay the same. It would just check and then rebuild them if necessary.

    I have other things I am working on (miniupnpd and imspector) but if I get some free time I might look at this. I only use pfSense at home, so it would be nice, but not something I'd really use.



  • I use pfSense in a lot of locations and so do my clients.  Not one needs this feature so I don't think the demand is as far fetched as some would want you to think.

    Keep rolling on what your rolling on… It's touching a lot more people than time based rules would.



  • I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.



  • @yoda715:

    I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.

    Yes, a bounty is about the only way I see this making in the system.  It really is no thrills and doesn't really give anyone satisfaction of working on something 'cool' unfortunately.



  • @yoda715:

    I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.

    What commercial firewalls have time based rules?

    sai



  • Sonicwalls, Watchguards, and Checkpoint. Also the new pix version 7.2 I believe supports time based rules.



  • I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

    We want to be able to set a begin and end time for each rule.  We plan on using the enable button to effect the change.  Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule.  If they are filled in then entries in the crontab will be created for each begin/end time.  This way we don't have to poll, just refresh the webpage at the given times in the rules table.

    Status:

    Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
    Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
    Write a contab file containing all the start/stop times. (done)

    What we have left to do is to get cron to read the crontab and refresh the webpage.  For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly.  This method requires you to log in everytime.  Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole?  When this last piece is done, it will be working.

    Suggestions welcome for this last piece or comments if we have done something completely wrong.

    thanks,



  • Sounds like you've made a lot of progress. I'm not sure if you have this implemented already, but one important feature about this schedule stuff is the days factor. There's needs to be a way to specify what days as well as what time on the schedule.



  • @lovingHDTV:

    I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

    Suggestions welcome for this last piece or comments if we have done something completely wrong.

    thanks,

    mebe freeradius and pfsense captive portal can help you

    Login-Time defines the time span a user may login to the system. The format of a so-called time string is like the format used by UUCP. A time string may be a list of simple time strings separated by "|" or ",".

    Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen. A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means all days.

    After that a range of hours follows in hhmm-hhmm format. For example:

    "Wk2305-0855,Sa,Su2305-1655"

    radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someone's Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00.

    liza Password == "lizaspassword"
    Auth-Type := Local, Login-Time :="Al1600-2200"

    lets liza with password lizaspassword true the pfsense cative portal on every day between 16:00 and 22:00 uhr



  • Wow intersting suggestion.  Looks like I have a lot of learning to do.  Would you happen to have a pointer to some documentation on Radius and captive portal within pfsense?  Not a biggie if you don't, I'll look around anyway the captive portal forum.

    thanks,



  • There are some tutorials about captive portal at our tutorial section: http://pfsense.com/index.php?id=36



  • I tried those links but none of them work.  They just hang and never actually load anything.  I tried the NCSA and the untouchables.  Do you know of one that actually works?

    thanks,



  • All of them work. You need flash as they are movies.



  • I have flash as other websites with flash work, and I don't get any prompting saying I need to download macromedia.  Not sure what is wrong.  I just get a blanks square with a click to activate dialog.  After clicking it just hangs.  If I disable flash, then I don't get the click to update dialog.

    thanks anywy,



  • They work for me. Are you using Firefox or IE?



  • IE



  • Try Firefox. Works for me under it, and it's the best browser there is ;).



  • @lovingHDTV:

    I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

    We want to be able to set a begin and end time for each rule.  We plan on using the enable button to effect the change.  Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule.  If they are filled in then entries in the crontab will be created for each begin/end time.  This way we don't have to poll, just refresh the webpage at the given times in the rules table.

    Status:

    Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
    Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
    Write a contab file containing all the start/stop times. (done)

    What we have left to do is to get cron to read the crontab and refresh the webpage.  For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly.  This method requires you to log in everytime.  Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole?  When this last piece is done, it will be working.

    Suggestions welcome for this last piece or comments if we have done something completely wrong.

    thanks,

    For this purpose, you can use IPCop with URL Filter add on.
    I used IPCop for this purpose.
    And my IPCop is behind pfsense, which supports multi-wan function.



  • I use time based rules in a Juniper/Netscreen Firewall for a few reasons. I cannot use captive portal because I am not limiting just port 80, I have programs that use other ports and are unattended. But I am also limiting bandwidth per rule also. So that during business hours the firewall throttles to a lower bandwitdh than during the night for those ports. Aren't online backups fun.

    Instead of refreshing some web page have your cron job either modify and apply /tmp/rules.debug or directly change the running rules at the times you specify.

    It would be nice, but that would mean that traffic shapper would have to be used per rule and also have sheduling.
    I am not holding my breath on this feature set. :P

    pfSense is a good firewall and I use it in most places.



  • I am working on this right now for HEAD version. I'll keep posted how my progress goes and when it will be available in releng.


Log in to reply