5. Scheduled Rules Don't Work With Established Connections

Scheduled Rules Don't Work With Established Connections

  • P

    Anyone else having problems using scheduled rules? I have set up some rules to block internet access for the early morning. The rules work for any new connection, but for any connection that is already established when the schedule starts, it continues. In particular, any streaming audio connection survives the scheduled internet block, and continues streaming. It appears the state is not reset when the scheduled rules are applied. As a workaround, I have set up a cron job 1 minute after the scheduled rules are applied, with a pfctl -F state. That certainly kills the streaming audio, but it also kills other connections I didn't want killed. Maybe I should look into using pfctl -k …

    Is anyone else having similar problems, and if so, have you found a better workaround?

    I am using 2.0-Beta4 (amd64) Nov 22 snapshot.

    0
  • D

    As far as I know, this is by design.  Established connections are not affected by rule changes unless you kill the state table as you are doing…

    0
  • E

    Under system->advanced->miscellanous there is
    By default schedules clear the states of existing connections when expiry time has come. This option allows to override this setting by not clearing states for existing connections

    Have you checked that by any chance?

    0
  • P

    No, the check box is not checked.

    0
  • E

    Well can you get copies of /tmp/rules.debug when rule is active and when rule is not?
    Mostly because the schedule is not right!?

    0
  • P

    Here is a diff of the /tmp/rules.debug, just before the schedule kicked in, and during.

    diff rules.debug.before_schedule rules.debug.after_schedule
    237c237
    < # schedule finished -  label "USER_RULE"
    –-

    block  in log  quick  on $LAN  proto { tcp udp }  from  192.168.64.17 to  !192.168.64.1/24  schedule "4cec554a4eae9"  label "USER_RULE"

    0
  • E

    I am sorry but you are missing the point here :).
    How is pfSense supposed to know what to kill when the schedule becomes active?

    I would do the other way to get the functionality you want.
    Create a pass rule for the time you need and then either let the normal policy take place or put the block rule, shown before, just after it.

    This makes sure the states created by that schedule rule to be cleared otherwise it is not a good idea to drop all connections just because you can.

    0
  • C

    If you use pass rules, when they become inactive, the states should be killed. Using block rules with a schedule, existing matching connections aren't killed as there is no reliable way to match in all circumstances. You should use a pass rule on the schedule in that case.

    0
  • P

    Thanks to everyone for your help. I have switched the scheduled rules to pass rules instead of blocking rules, and everything works as expected now.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy