{Complete} Timebased Rules

BuddhaChu

Looks like you guys fixed something before I noticed it was going on with the 2 builds I loaded yesterday.  Snort was being restarted every 15 minutes whenever the rules were being reloaded.  I loaded up the "Thu Mar 29 04:14:59 EDT" build this morning and it looks like you got that sorted.  Thanx!

Notice the processor spiking every 15 min has ceased in the attached pic.

Heiko: Thank you for sponsoring this addition to pfSense!

heiko

BuddhaChu: Don't mention it!

heiko

Hello Guys,

a few things:

1.) how it works when schedules with time overlaps exists?

2.) a line break also in the configured range would be helpful –> Screenshot

3.) The Description of the "schedule name" is not right, "-;_" kicks me out when i fill this in..

4.) I think the description could be a duty field - Screenshot

5.) "Grimbelfix" when edit/save/edit is OK - it runs

6.) Upps, when i edit a saved schedule and change the name for example from "test123" to "test12345", all rules with the schedule "test123" are not switching to "test12345" but to "none" -- intended ???

7.) it would be fine, when the console menü receives a number with, for  example, "deleting all schedules on rule", maybe,maybe

8.) how is the actual condition of cron, timedelay between reloading?

9.) The "schedule name" field is very long, so look at the screenshot, maybe a little bit shorter, a field definition would be good.

10.) Screenshot ; edit a saved range without saving the changes, edit then the next range, so the first one is down the drain, it would be better, i think, when only one range at a time can be modified.

11.) Another problem i think --> see Screenshot ssh.jpg- I have to created a blocking rule like ssh at the top. Without a rule schedule it works fine. Now i create a time range - today 16:45 - to 17:00 -. The time is 16:20 when i put the schedule to the rule. Saved, but nothing happens... On 16:40 i cannot established a ssh session. The Blocking rule i think is only active betwen the timerange, so the default lan rule is active, but i can´t access. The webgui anti-lockout checkbox is active. The "not" operator are not used in this rule.

Can you duplicated this behaviour.

Great work, "Scott´s".

I not known, which timebased-rule-system is better than pfsense´s....., no one, i think

Greetings
heiko


yoda715

@heiko:

1.) how it works when schedules with time overlaps exists?

Every 15 minutes all schedules are re-evaluated. If two schedules overlap it should work continuously and not disturb each other.

@heiko:

2.) a line break also in the configured range would be helpful –> Screenshot

I'm working on this

@heiko:

3.) The Description of the "schedule name" is not right, "-;_" kicks me out when i fill this in..

This has been corrected. Valid names are a-z, A-Z and 0-9

@heiko:

4.) I think the description could be a duty field - Screenshot

Duty field? Can you describe this in more detail? How is this different than what is already there?

@heiko:

5.) "Grimbelfix" when edit/save/edit is OK - it runs

Good to hear :)

@heiko:

6.) Upps, when i edit a saved schedule and change the name for example from "test123" to "test12345", all rules with the schedule "test123" are not switching to "test12345" but to "none" – intended ???

Oops. Fixed.

@heiko:

7.) it would be fine, when the console menü receives a number with, for  example, "deleting all schedules on rule", maybe,maybe

Can you elaborate some more on this?

@heiko:

8.) how is the actual condition of cron, timedelay between reloading?

Time delay should be around 30 secs at most, depending on the speed and load of your pfsense box.

@heiko:

9.) The "schedule name" field is very long, so look at the screenshot, maybe a little bit shorter, a field definition would be good.

Fixed.

@heiko:

10.) Screenshot ; edit a saved range without saving the changes, edit then the next range, so the first one is down the drain, it would be better, i think, when only one range at a time can be modified.

Oops, thought I did this already. Done

@heiko:

11.) Another problem i think –> see Screenshot ssh.jpg- I have to created a blocking rule like ssh at the top. Without a rule schedule it works fine. Now i create a time range - today 16:45 - to 17:00 -. The time is 16:20 when i put the schedule to the rule. Saved, but nothing happens... On 16:40 i cannot established a ssh session. The Blocking rule i think is only active betwen the timerange, so the default lan rule is active, but i can´t access. The webgui anti-lockout checkbox is active. The "not" operator are not used in this rule.

Update to the latest snapshot in 2 hours. This should be fixed. Retest and let us know.

@heiko:

I not known, which timebased-rule-system is better than pfsense´s….., no one, i think

I think its fair to say We have the best schedule system now :)

heiko

Ok, i will test the next snapshot, but tommorow…..

1.) 7.) it would be fine, when the console menü receives a number with, for  example, "deleting all schedules on rule", maybe,maybe

Can you elaborate some more on this?

i think, with a complex time based rulesystem, i can kick me out…., then i can reset all with the console menue, but this is not very comfortable, so i must reset , config restore and other things. A very big time lost...

I think, a number with the code behind " delete all schedules on rules" brings all rules up and i needn´t a restore or anything would be helpful.

Do you have a better proposal?

2.) I think the description could be a duty field - Screenshot

Duty field? Can you describe this in more detail? How is this different than what is already there?

At the Moment it doesn´t a duty field or my test was not right…., when you coded a duty field with a line break, i can already set a "speaking" description to that field. Then i can see directly what the admin means with this schedule.
Also, do you have a better proposal? I´m up for it!

I will test the other points in the morning, and post the outcomes….

Thank you very much!
Heiko

hoba

@heiko:

2.) I think the description could be a duty field - Screenshot
Duty field? Can you describe this in more detail? How is this different than what is already there?
At the Moment it doesn´t a duty field or my test was not right…., when you coded a duty field with a line break, i can already set a "speaking" description to that field. Then i can see directly what the admin means with this schedule.
Also, do you have a better proposal? I´m up for it!

He means it is a required field, so that you can't save the page with nothing filled in there. He wants to always see a description in the schedules overview for better readability/understanding what this schedule does or is intended for.

heiko

Vielen Dank für die Übersetzung, Holger!
Thanks for the translation, Holger!

yoda715

@hoba:

@heiko:

2.) I think the description could be a duty field - Screenshot
Duty field? Can you describe this in more detail? How is this different than what is already there?
At the Moment it doesn´t a duty field or my test was not right…., when you coded a duty field with a line break, i can already set a "speaking" description to that field. Then i can see directly what the admin means with this schedule.
Also, do you have a better proposal? I´m up for it!

He means it is a required field, so that you can't save the page with nothing filled in there. He wants to always see a description in the schedules overview for better readability/understanding what this schedule does or is intended for.

Hmm, I don't particularly like making something required that isn't really necessary for the schedule to function. In my opinion making that field a requirement would be annoying.

heiko

Hello Scott,
i don´t think so…., but it is not really fundamental, so you must not change this field!!

At the Moment i cannot test the build, because i think the snapshot server is down?
Greetings
Heiko

heiko

Hello,
i need the snapshot server to test the build, then we will see if the project is finished.
Greetings
heiko

sullrich

Server is down, we're working on it.

heiko

I´m waiting and waiting, so i can test snort….. ;D

heiko

we are Online! i will download and test the latest snapshot, i will be post the outcomes…

yoda715

All known bugs are knocked out using latest snapshot. Please test latest snapshot. This latest snapshot should complete time based rules if it meets approval.

heiko

Hello Scott´s,

first, i have a "big problem" with testing it completely out. Here the outcomes. Take a look at the Screenshots.

1.) The Filter reload ist not really working here. I created an icmp-rule to ping the wan-interface. OK, so i disabled this without having a schedule and the ping replys and replys and so on….... It is difficult to test the schedule-logic, cron, resettings states and so on if the filter reloading are not completely working without schedules. Even if i delete the rule, the ping replys and replys, i wait after the deletion one hour, the ping replys....New ping-sessions are also established. Hmmm? I don´t know.

Sorry! Please duplicate!

2.) Can you implement the extension to "Console-menu"?? It would be very nice.

3.) a line break also in the configured range would be helpful --> Screenshot
;D - it´s finished

4.) the Description of the "schedule name" is not right, "-;_" kicks me out when i fill this in..
;D -it´s finished

5.) Upps, when i edit a saved schedule and change the name for example from "test123" to "test12345", all rules with the schedule "test123" are not switching to "test12345" but to "none" --    intended Huh
;D -it´s finished , cool solution

6.) The "schedule name" field is very long, so look at the screenshot, maybe a little bit shorter, a field definition would be good.
??? Not complete, take a look at the screenshot -- Sorry

7.) Screenshot ; edit a saved range without saving the changes, edit then the next range, so the first one is down the drain, it would be better, i think, when only one range at a time can be modified.
;D -it´s finished

8.) Another problem i think --> see Screenshot ssh.jpg- I have to created a blocking rule like ssh at the top. Without a rule schedule it works fine. Now i create a time range - today 16:45 - to 17:00 -. The time is 16:20 when i put the schedule to the rule. Saved, but nothing happens... On 16:40 i cannot established a ssh session. The Blocking rule i think is only active betwen the timerange, so the default lan rule is active, but i can´t access. The webgui anti-lockout checkbox is active. The "not" operator are not used in this rule.

• I can test it out, when the filter reloading and states resetting are OK, sorry

Please duplicate this behaviour to number 1 and i will retest as soon as possible

The "knock-out" is delayed :)

Greetings
heiko

sullrich

#1 Sorry, I do not understand this at all.  You are saying that ICMP is not being blocked even without a schedule?

In terms of the description boxes, enter a space.  Its NOT normal for someone to enter sdvjkhsdgkjhsdgkhsdkjdgsh as a description.

We'll look into the other nit-picks.

heiko

Hello Scott,
what is normal? We can finished it, but in my opinion a test is an extreme test.
Change it or leave it! Your decision!!!

Please test blocking rules without schedules. I´am confused of this.

Heiko

Sorry!!

sullrich

I don't understand the problem so it is going to be hard to test.  Can you please explain #1 again.

heiko

Scott,
it is a very simple test.

My first test: I create a rule with icmp path to the wan!
2.) i ping- all is OK
3.) i disable the rule, and the ping replys
4.) i delete the rule, and the ping replys
5.) after the delete of the "one" rule, new ping replys and replys

So, before i test a rule with a schedule, at first a i test the normal behaviour….

Please duplicate!

sullrich

I cannot duplicate this.  The firewall works as it should without schedules, in fact, we didn't modify the PF rules at all so if an item does not have a schedule then nothing has changed on the backend.

If you are speaking of a rule having an issue with a schedule please run ipfw show from the shell and show what the rules look like.