Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Rule Schedule

    Scheduled Pinned Locked Moved Firewalling
    22 Posts 9 Posters 7.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Y
      yoda715
      last edited by

      Hey guys, did a search and didn't find this topic addressed anywhere. Are there any plans to add a feature to where rules can have schedules applied to them? I.E. a rule with only pass traffic on Monday - Thursday, and all other times deny it, etc etc.

      Regards

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        No, nobody is planning this that I know of (developers).

        1 Reply Last reply Reply Quote 0
        • R
          rsw686
          last edited by

          I think this feature would be useful, however pf doesn't allow you to set rules for specific times, so it looks hard to implement.

          It looks like to make this work you would have to have those rules on a separate anchor. pfSense would need a script written and a cron job to parse the rules, see if changes are necessary and then clear out / reload the rules in the anchor. You could probably get the time schedule down to 15 min blocks. Shouldn't be too cpu intensive since most of the time the rules would stay the same. It would just check and then rebuild them if necessary.

          I have other things I am working on (miniupnpd and imspector) but if I get some free time I might look at this. I only use pfSense at home, so it would be nice, but not something I'd really use.

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            I use pfSense in a lot of locations and so do my clients.  Not one needs this feature so I don't think the demand is as far fetched as some would want you to think.

            Keep rolling on what your rolling on… It's touching a lot more people than time based rules would.

            1 Reply Last reply Reply Quote 0
            • Y
              yoda715
              last edited by

              I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by

                @yoda715:

                I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.

                Yes, a bounty is about the only way I see this making in the system.  It really is no thrills and doesn't really give anyone satisfaction of working on something 'cool' unfortunately.

                1 Reply Last reply Reply Quote 0
                • S
                  sai
                  last edited by

                  @yoda715:

                  I on the other hand do have clients that use this feature in other commercial firewalls, and use it a lot. I would eventually like to see my clients switching to pfsense, but until other things along with this feature are implemented it won't happen. I may consider offering a bounty soon for this feature.

                  What commercial firewalls have time based rules?

                  sai

                  1 Reply Last reply Reply Quote 0
                  • Y
                    yoda715
                    last edited by

                    Sonicwalls, Watchguards, and Checkpoint. Also the new pix version 7.2 I believe supports time based rules.

                    1 Reply Last reply Reply Quote 0
                    • L
                      lovingHDTV
                      last edited by

                      I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

                      We want to be able to set a begin and end time for each rule.  We plan on using the enable button to effect the change.  Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule.  If they are filled in then entries in the crontab will be created for each begin/end time.  This way we don't have to poll, just refresh the webpage at the given times in the rules table.

                      Status:

                      Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
                      Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
                      Write a contab file containing all the start/stop times. (done)

                      What we have left to do is to get cron to read the crontab and refresh the webpage.  For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly.  This method requires you to log in everytime.  Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole?  When this last piece is done, it will be working.

                      Suggestions welcome for this last piece or comments if we have done something completely wrong.

                      thanks,

                      1 Reply Last reply Reply Quote 0
                      • Y
                        yoda715
                        last edited by

                        Sounds like you've made a lot of progress. I'm not sure if you have this implemented already, but one important feature about this schedule stuff is the days factor. There's needs to be a way to specify what days as well as what time on the schedule.

                        1 Reply Last reply Reply Quote 0
                        • J
                          jeroen234
                          last edited by

                          @lovingHDTV:

                          I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

                          Suggestions welcome for this last piece or comments if we have done something completely wrong.

                          thanks,

                          mebe freeradius and pfsense captive portal can help you

                          Login-Time defines the time span a user may login to the system. The format of a so-called time string is like the format used by UUCP. A time string may be a list of simple time strings separated by "|" or ",".

                          Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen. A day is Mo, Tu, We, Th, Fr, Sa or Su, or Wk for Mo-Fr. "Any" or "Al" means all days.

                          After that a range of hours follows in hhmm-hhmm format. For example:

                          "Wk2305-0855,Sa,Su2305-1655"

                          radiusd calculates the number of seconds left in the time span, and sets the Session-Timeout to that number of seconds. So if someone's Login-Time is "Al0800-1800" and she logs in at 17:30, Session-Timeout is set to 1800 seconds so that she is kicked off at 18:00.

                          liza Password == "lizaspassword"
                          Auth-Type := Local, Login-Time :="Al1600-2200"

                          lets liza with password lizaspassword true the pfsense cative portal on every day between 16:00 and 22:00 uhr

                          1 Reply Last reply Reply Quote 0
                          • L
                            lovingHDTV
                            last edited by

                            Wow intersting suggestion.  Looks like I have a lot of learning to do.  Would you happen to have a pointer to some documentation on Radius and captive portal within pfsense?  Not a biggie if you don't, I'll look around anyway the captive portal forum.

                            thanks,

                            1 Reply Last reply Reply Quote 0
                            • H
                              hoba
                              last edited by

                              There are some tutorials about captive portal at our tutorial section: http://pfsense.com/index.php?id=36

                              1 Reply Last reply Reply Quote 0
                              • L
                                lovingHDTV
                                last edited by

                                I tried those links but none of them work.  They just hang and never actually load anything.  I tried the NCSA and the untouchables.  Do you know of one that actually works?

                                thanks,

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hoba
                                  last edited by

                                  All of them work. You need flash as they are movies.

                                  1 Reply Last reply Reply Quote 0
                                  • L
                                    lovingHDTV
                                    last edited by

                                    I have flash as other websites with flash work, and I don't get any prompting saying I need to download macromedia.  Not sure what is wrong.  I just get a blanks square with a click to activate dialog.  After clicking it just hangs.  If I disable flash, then I don't get the click to update dialog.

                                    thanks anywy,

                                    1 Reply Last reply Reply Quote 0
                                    • Y
                                      yoda715
                                      last edited by

                                      They work for me. Are you using Firefox or IE?

                                      1 Reply Last reply Reply Quote 0
                                      • L
                                        lovingHDTV
                                        last edited by

                                        IE

                                        1 Reply Last reply Reply Quote 0
                                        • Y
                                          yoda715
                                          last edited by

                                          Try Firefox. Works for me under it, and it's the best browser there is ;).

                                          1 Reply Last reply Reply Quote 0
                                          • K
                                            khuetam
                                            last edited by

                                            @lovingHDTV:

                                            I too am intersted in this type of a feature. My bro-in-law and I are just trying to get this to work, as I want to limit my childrens access to the internet to "normal" hours.  Here is our idea/progress.

                                            We want to be able to set a begin and end time for each rule.  We plan on using the enable button to effect the change.  Upon the creation/modification for a rule we will create a new crontab file, if the begin/end times are blank, then nothing is written to the cron tab file for that rule.  If they are filled in then entries in the crontab will be created for each begin/end time.  This way we don't have to poll, just refresh the webpage at the given times in the rules table.

                                            Status:

                                            Add two columns to the firewall rules sheet to specify the begin/end times per rule (done)
                                            Modify the web page so that the enable sets itself properly accorrding to the times set for the rule (done)
                                            Write a contab file containing all the start/stop times. (done)

                                            What we have left to do is to get cron to read the crontab and refresh the webpage.  For testing we did this from an XP machine, to refresh the webpage and see that the rule enable is set properly.  This method requires you to log in everytime.  Any suggestions on how to get this to work from a cron run and to get past the login authenticaton without leaving a huge security whole?  When this last piece is done, it will be working.

                                            Suggestions welcome for this last piece or comments if we have done something completely wrong.

                                            thanks,

                                            For this purpose, you can use IPCop with URL Filter add on.
                                            I used IPCop for this purpose.
                                            And my IPCop is behind pfsense, which supports multi-wan function.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.