Timebased rules
-
I made a schedule for my kids to be blocked from internet. The 1st one is to block from 22:30 - 23:59 the 2nd one is from 00:00 - 06:00. It shut of the access as scheduled but did not re-enable access on schedule. I disabled the 2nd rule and access came back. The pc in question was off when the block should have ended. So the question is does the pc have to be on for the rules to work properly?
-
Please make sure you run the very latest snapshot. There have been some snapshots in between where things have not been working properly. Clients don't have to be up for scheduled rules to work/get reloaded.
-
I was using the snapshot 3-27-2007 modified on 4-6-07. Downloading new one now.
-
Please test it, it should work!
-
I don't know what is happening. I set a rule to block access to LAN from my laptop 19:45 - 20:0 It did not block or unblock access. I can open the schedule like I am going to modify the times and just tell it to save then it takes effect. It will not block or unblock automatically.
PS… you will lock yourself out of the firewall as long as the block rule is active. You can't even access pfsense to administer while active so don't test this on your admin pc. ;)
-
PS… you will lock yourself out of the firewall as long as the block rule is active. You can't even access pfsense to administer while active so don't test this on your admin pc. ;)
Do you have the "Disable webGUI anti-lockout rule" box checked on the Advanced page? If not, this is a bug in the time based rules that needs to be fixed. You should never be able to lock yourself out of the webGUI unless this box is checked.
-
@cmb:
Do you have the "Disable webGUI anti-lockout rule" box checked on the Advanced page? If not, this is a bug in the time based rules that needs to be fixed. You should never be able to lock yourself out of the webGUI unless this box is checked.
I think not a bug, you can't access pfsense at all from the blocked pc while rule is active. I only meant not to block your pc you use to admin.
-
normal there is a speciale rule that makes it that that can never happen
if it is and you did not disable the rule
then its a big bug -
To be able to shutdown already established connections we had to set ipfw on top of pf. My bet is we don't install the antilogout rule for ipfw as we only parse the visible rules in the webgui. So if you block to any port 80 destination and your webgui runs on port 80 you will log yourself out. Create a rule on top of this block to any port 80 rule that still allows access to the gui as destination IP. I guess then it will work. If that's the case we just need to make ipfw aware of the webgui antilogout rule.
-
Hmmh, Tonight, i will duplicate this test, too, and post the outcomes…
-
I did a format, downloaded the official iso, downloaded the newest snapshot and re-installed tonight. Still can't get the schedules to block - unblock internet access. :'( Any ideas?
-
Works for me. Take some screenshots of your rules and schedule, then post them here.
-
-
Can you post a screenshot of the first schedule page, firewall_schedule.php, thanks.
-
-
Ok I've confirmed, its not "killing" the states properly.
-
I think I'm having the same problems. I've set up the timebased rules and they are showing up as being active at the proper times when I look at the Firewall:Rules page (e.g., I've got a block rule for my wireless subnet that is showing up as being active at the proper time). However, the wireless subnet is not actually blocked at the time.
Here's what I did:
1. Prior to 7:30 am set up a timebased rule to block access to/from the wireless subnet from 7:30 am to 7:45 am. At this time (prior to 7:30 am) the wireless subnet has access (confirmed via ping to yahoo.com).
2. After 7:30 am check firewall:rules page and confirm that the timebased rule is active… it is. Attempt ping from wireless subnet to yahoo.com... still have connectivity.
3. From the firewall:rules page open up the edit page for the wireless subnet block rule having the associated 7:30 to 7:45 schedule. Don't make any changes but save and apply the rule "change". Attempt ping to yahoo.com. Now there is no longer connectivity which is the proper/desired state.
4. After 7:45 (when the timebased rule should no longer be active) I go through similar steps and see that I have the same problems in reverse. I.e., even though the firewall:rules page shows the rule as no longer active the wireless subnet connectivity is still blocked. I have to "edit" the firewall rule, save it, and apply it for the timebased rule to be truly no longer active.I am using the pfSense-Full-And-Embedded-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-14-2007 snapshot.
Thanks!
-
Hi,
i have duplicated your test, but for me it works as it should.1.) Block Rule –> schedule 18:30 to 18:45 --> any to yahoo.com --> at 18:30 it blocks all to yahoo.com, no ping
2.) At 18:45 the Block Rule is outside the schedule and the ping replys! -
Nope… still not working for me. I rebooted the firewall and tried it again. At 14:45 block rule schedule started and I can still ping to yahoo.com. I have to open the block rule, save it so that the system prompts me to apply the "change", and then the rule takes affect. The schedule doesn't appear to change the change the state itself. Nothing shows up in the system log other than the "check_reload_status: reloading filter" from applying the change.
-
Just tried booting from the most recent ISO using my config settings saved on a floppy rather than my hard drive installation which has been upgraded multiple times with squid, snort, etc. installed and uninstalled multiple times. Thought this might help eliminate some potential problems.
Still didn't work booting from the CD. Same behavior as before.
Strange and too bad, since this is a feature I would really like to use!