Scheduled Rules Don't Work With Established Connections
-
Anyone else having problems using scheduled rules? I have set up some rules to block internet access for the early morning. The rules work for any new connection, but for any connection that is already established when the schedule starts, it continues. In particular, any streaming audio connection survives the scheduled internet block, and continues streaming. It appears the state is not reset when the scheduled rules are applied. As a workaround, I have set up a cron job 1 minute after the scheduled rules are applied, with a pfctl -F state. That certainly kills the streaming audio, but it also kills other connections I didn't want killed. Maybe I should look into using pfctl -k …
Is anyone else having similar problems, and if so, have you found a better workaround?
I am using 2.0-Beta4 (amd64) Nov 22 snapshot.
-
As far as I know, this is by design. Established connections are not affected by rule changes unless you kill the state table as you are doing…
-
Under system->advanced->miscellanous there is
By default schedules clear the states of existing connections when expiry time has come. This option allows to override this setting by not clearing states for existing connectionsHave you checked that by any chance?
-
No, the check box is not checked.
-
Well can you get copies of /tmp/rules.debug when rule is active and when rule is not?
Mostly because the schedule is not right!? -
Here is a diff of the /tmp/rules.debug, just before the schedule kicked in, and during.
diff rules.debug.before_schedule rules.debug.after_schedule
237c237
< # schedule finished - label "USER_RULE"
–-block in log quick on $LAN proto { tcp udp } from 192.168.64.17 to !192.168.64.1/24 schedule "4cec554a4eae9" label "USER_RULE"
-
I am sorry but you are missing the point here :).
How is pfSense supposed to know what to kill when the schedule becomes active?I would do the other way to get the functionality you want.
Create a pass rule for the time you need and then either let the normal policy take place or put the block rule, shown before, just after it.This makes sure the states created by that schedule rule to be cleared otherwise it is not a good idea to drop all connections just because you can.
-
If you use pass rules, when they become inactive, the states should be killed. Using block rules with a schedule, existing matching connections aren't killed as there is no reliable way to match in all circumstances. You should use a pass rule on the schedule in that case.
-
Thanks to everyone for your help. I have switched the scheduled rules to pass rules instead of blocking rules, and everything works as expected now.