• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

{Complete} Timebased Rules

Scheduled Pinned Locked Moved Completed Bounties
187 Posts 10 Posters 145.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yoda715
    last edited by Mar 23, 2007, 10:22 PM Mar 23, 2007, 10:17 PM

    @heiko:

    Hello,
    i think a schedule column in the firewall rule is really helpful, because the gui is more ergonomic…
    In a few minutes, i will test twice an post the results.
    Greetings from Germany
    heiko

    I'll will get to that soon. Right now the focus is to get the backend working properly then fix the gui stuff.

    @heiko:

    Hello Scott,
    you save a schedule, but with no name, the schedule is save, but you cannot choose this schedule in the rule. It is ok, i think, but saving a schedule without a name is strange… , the "schedule name" is a duty field...., so i can save when i write a name, otherwise not..
    Bye
    Heiko

    I've fixed that, it just hasn't been committed yet.

    1 Reply Last reply Reply Quote 0
    • H
      heiko
      last edited by Mar 23, 2007, 10:28 PM

      Hello Scott,
      i agree, a little annotation:

      When you finish the coding behind the gui, please take a look to my requested features…..

      Greetings
      Heiko

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by Mar 23, 2007, 11:25 PM

        Time zone information will come from the system.  If your timezone is honoring DST then FreeBSD/php should just work I would think.  So I don't know if we need a daylight savings option?

        1 Reply Last reply Reply Quote 0
        • Y
          yoda715
          last edited by Mar 23, 2007, 11:49 PM

          @sullrich:

          Time zone information will come from the system.  If your timezone is honoring DST then FreeBSD/php should just work I would think.  So I don't know if we need a daylight savings option?

          Agree

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by Mar 24, 2007, 12:05 AM

            Having a really hard time figuring out how we are going to kill old states.  Is this an absolute requirement for the bounty or is blocking new connections "good enough"?

            1 Reply Last reply Reply Quote 0
            • S
              sai
              last edited by Mar 24, 2007, 1:35 AM

              @sullrich:

              Having a really hard time figuring out how we are going to kill old states.   Is this an absolute requirement for the bounty or is blocking new connections "good enough"?

              Easy way out would be an option to reset all states on the rule. When the rule comes into force, you reset the states if the option is ticked.

              1 Reply Last reply Reply Quote 0
              • S
                sullrich
                last edited by Mar 24, 2007, 6:44 AM

                @sai:

                @sullrich:

                Having a really hard time figuring out how we are going to kill old states.  Is this an absolute requirement for the bounty or is blocking new connections "good enough"?

                Easy way out would be an option to reset all states on the rule. When the rule comes into force, you reset the states if the option is ticked.

                Not so easy.  So how would you calculate this without redoing pf's logic in php?

                1 Reply Last reply Reply Quote 0
                • Y
                  yoda715
                  last edited by Mar 24, 2007, 7:44 AM Mar 24, 2007, 7:41 AM

                  @heiko:

                  Hello Scott,
                  i agree, a little annotation:

                  When you finish the coding behind the gui, please take a look to my requested features…..

                  Greetings
                  Heiko

                  Disregarding the bugs in the gui, do you like it so far? Do you find it easy to use? Will it meet your needs?

                  1 Reply Last reply Reply Quote 0
                  • H
                    heiko
                    last edited by Mar 24, 2007, 9:04 AM

                    Good Morning,

                    yes, i think we can finish the discussion about the gui, any bugs can be fixed later. Good Job!

                    About the Firewall States: My Opinion: –> The expiration of a schedule must kill all the states, it is absolute for me, russia is very strange and i must kill all states from russia to switzerland at the expiration.........

                    Scott: i know, to kill the states it is a big JOB! But also you a very good coder... :)

                    Please verify, what do you mean, Scott?

                    Greetings from Germany
                    Heiko

                    1 Reply Last reply Reply Quote 0
                    • S
                      sai
                      last edited by Mar 24, 2007, 10:07 AM

                      @sullrich:

                      @sai:

                      @sullrich:

                      Having a really hard time figuring out how we are going to kill old states.   Is this an absolute requirement for the bounty or is blocking new connections "good enough"?

                      Easy way out would be an option to reset all states on the rule. When the rule comes into force, you reset the states if the option is ticked.

                      Not so easy.   So how would you calculate this without redoing pf's logic in php?

                      I meant use filter_flush_state_table and reset all the states in the state table, not just the states  affected by the rule. Not very elegant but  I usually Reset States when I change/add a rule.

                      The other option would be to parse the states to see if they match the rule and only kill the states that match. non-trivial :-)

                      1 Reply Last reply Reply Quote 0
                      • D
                        diegonix
                        last edited by Mar 24, 2007, 7:24 PM

                        @sullrich:

                        Hang on here.  The person that sponsors the bounty has say so over this feature but with all due respect unless you contributed to the bounty then please sit on the sidelines.

                        Forgive me, I just tried to help!

                        –
                        Diego Morato

                        1 Reply Last reply Reply Quote 0
                        • H
                          heiko
                          last edited by Mar 25, 2007, 6:31 PM

                          Hello,
                          good news of the weekend??

                          Greetings
                          Heiko

                          1 Reply Last reply Reply Quote 0
                          • S
                            sullrich
                            last edited by Mar 25, 2007, 6:42 PM

                            Backend is in place except for state killing.  Waiting on front end work to be commited.

                            1 Reply Last reply Reply Quote 0
                            • H
                              heiko
                              last edited by Mar 25, 2007, 6:59 PM

                              What is with the state killing? You don't really mean that ;)

                              Very special Greetings from Germany
                              heiko

                              1 Reply Last reply Reply Quote 0
                              • Y
                                yoda715
                                last edited by Mar 26, 2007, 5:36 AM Mar 25, 2007, 11:17 PM

                                @heiko:

                                What is with the state killing? You don't really mean that ;)

                                Very special Greetings from Germany
                                heiko

                                State killing is referring to cutting off current connections when a schedule expires. I will be working a lot on the GUI tomorrow Monday.

                                1 Reply Last reply Reply Quote 0
                                • S
                                  sullrich
                                  last edited by Mar 26, 2007, 3:55 AM

                                  I now have a solution (mapped out in my brain) on how to do the expiration of states.  It will involve using ipfw to insert non stateful deny rules when a rule expires.

                                  We'll see if there are any bugs lurking in FreeBSD here.  I am still working my way through dummnynet + pf woes.

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    heiko
                                    last edited by Mar 26, 2007, 8:10 AM

                                    Fine! Let´s go….

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sullrich
                                      last edited by Mar 27, 2007, 9:56 PM

                                      Okay, we just put the finishing touches on the time based rule system and my initial tests are positive.

                                      The client gets cutoff correctly at the correct time.

                                      Please test the holy beep outta this and report back.

                                      Snapshots are building.  Should be ready about 1-2 hours after this post.

                                      Thanks!

                                      1 Reply Last reply Reply Quote 0
                                      • Y
                                        yoda715
                                        last edited by Mar 27, 2007, 11:41 PM Mar 27, 2007, 11:38 PM

                                        Everyone please take a sledge hammer to these timed based rules. If you find a bug please report as much detail as possible.

                                        We are still determining how we will display the schedules under the firewall_rules.php page. More to come on that soon. But for now, the rules are active when the current time of the firewall matches the specified ranges in the applied schedule(s).

                                        1 Reply Last reply Reply Quote 0
                                        • B
                                          BuddhaChu
                                          last edited by Mar 28, 2007, 12:33 AM Mar 28, 2007, 12:26 AM

                                          Ok, you asked for it!  /me pulls out sledgehammer

                                          Issue #1 (text only)
                                          Time minute input error dialog doesn't match the text below the time text boxes in the Time section (Dialog mentions "59" is allowed, webpage text doesn't)

                                          Fix: Synchronize text between both places to what is actually correct.

                                          Issue #2 (text only)
                                          Error text (in red at top of page) returned when a Schedule Name has a space in it states:

                                          "The schedule name may only consist of the characters a-z, A-Z, 0-9, -, _"

                                          The text below the text input box states:  "The name of the alias may only consist of the characters a-z, A-Z and 0-9"

                                          Fix: Synchronize text between both place to what is actually correct.  Adding a name with a dash or underscore triggers the error text so I assume those aren't allowed and what is under the text input box is actually the most correct.

                                          Issue #3: Receive errors in log when after associating time schedule to a rule then applying that change.  Errors confirmed after trying to add a new time schedule to a rule.

                                          php: : There were error(s) loading the rules: /tmp/qwanRoot.rules:10: syntax error pfctl: Syntax error in config file: pf rules not loaded pfctl: load anchors - The line in question reads [10]: set loginterface xl2
                                          
                                          php: : New alert found: There were error(s) loading the rules: /tmp/qwanRoot.rules:10: syntax error pfctl: Syntax error in config file: pf rules not loaded pfctl: load anchors The line in question reads [10]: set loginterface xl2
                                          

                                          Suggestion: Please add a "no spaces" hint to the "Schedule name" section.  Even though a space isn't in the range "a-z, A-Z and 0-9", I'm a little more dense that most techies, so I need some help.

                                          Workflow/Webpage ergonomics: I keep trying to add my info then hit the Save button at the bottom.  After puzzling about that I noticed the "Add Time" button to add different time slices to the schedule.  My suggestion would be to consider adding a little more text to the error text "The schedule must have at least one time range configured"…possibly "did you Add your time range to the schedule with the "Add Time" button" or something to that effect.  Too wordy, I know...but I hope you can see what I'm suggesting..a small hint.

                                          Longtime ClarkConnect alpha/beta tester, now pfSense newbie (6 weeks and counting)  :D

                                          1 Reply Last reply Reply Quote 0
                                          73 out of 187
                                          • First post
                                            73/187
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received