Blocking Rule with Aliases and Schedule



  • I've created a blocking rule for a site and it doesn't seem to catch anything.
    The schedule works as i have watched it by using the pfctl -sa command and the rules are loaded and unloaded at the prescribed times.
    Filtering Bridge under Advanced Settings is turned off (uncheched).
    I also have Squid and Squidlight installed and functioning.

    It looks to me as the rule needs to be higher up in the rules list, but I'm too new at this to make that call.

    I've attached my WAN and LAN rules. If you would like to see the Aliases and Schedule, I'll post those too.

    Any help and guidence is greatly appreciated.
    ![WAN Rules.jpg](/public/imported_attachments/1/WAN Rules.jpg)
    ![WAN Rules.jpg_thumb](/public/imported_attachments/1/WAN Rules.jpg_thumb)
    ![LAN Rules.jpg](/public/imported_attachments/1/LAN Rules.jpg)
    ![LAN Rules.jpg_thumb](/public/imported_attachments/1/LAN Rules.jpg_thumb)



  • It's hard to determine without knowing at least if the alias' point to Internal or External hosts. (Restricted Ebayers refers to machines on your LAN, and Ebay refers to public IPs of Ebay??)



  • Yes. The Restricted Ebayers are internal IP's and Ebay is a growing list of public IP's of Ebay.

    I also forgot to say this is a 1.2-RC3 install on a dual P3 667 with 512 Ram and 9.1Gb Harddrive.
    So, should be plenty.



  • Hmm, that looks like it should be correct. Have you tried checking firewall logs/rules when someone is trying to get to ebay? I'm confused about watching the schedule load with pfctl. I don't use scheduled rules, but I thought they were loaded via ipfw, so you'd have to use ipfw show to view them.
    I just looked at the part where you said filtering bridge was not enabled. Are the LAN and WAN interfaces bridged?



  • please read up on the notes of the schedules. these rules work a bit different:

    When working with pfSense based schedules, the logic is a bit different from the normal pfSense rules.

    For example, the rules are evaluated from top to bottom.

    If you have a pass rule and the rule is outside of the schedule, the traffic will be BLOCKED regardless
    of pass rules that occur after this rule.

    In these cases you will want to change the pass rule to a block style rule to get the needed functionality.



  • dotdash:
    LAN and WAN are not bridged.

    hoba:
    That's what I was thinking.
    I've attached the output from the pfctl -sa.
    Would you mind taking a look see at it.

    [pfctl -sa.txt](/public/imported_attachments/1/pfctl -sa.txt)



  • What do you need the rule at interface WAN for? Delete it.



  • Removed WAN rule per Hoba's direction.
    Applied changes.
    Cleared States Tables.
    Restricted user(s) still able to access blocked site.

    I am not using DNS Server in pfSense, I'm using DNS servers from ISP at each computer.
    Will this effect name (IP) resolution in this instance?
    I can/will enable pfSense DNS, if so directed.



  • They are probably hitting some IPs that are not in your alias. I would first test this rule with some special IP and trying to surf to that IP not using DNS.



  • Are you running squid in transparent mode?



  • mrsense,
    I am running Squid in transparent mode.

    I am also looking into the SquidGuard package.

    I did try a rule to block a single IP website that I found without using the schedule or aliases and it still did not block the site.

    In the States log it was redirecting to 127.0.0.0:80, but was still visible.



  • Transparent proxy is causing the problem.  I was running into similar issue and I was told that traffic from local daemons, like squid, is left unfiltered and cannot be filtered without changing pfsense.

    See this post:
    http://forum.pfsense.org/index.php/topic,6617.msg37805.html#msg37805



  • @hoba:

    please read up on the notes of the schedules. these rules work a bit different:

    When working with pfSense based schedules, the logic is a bit different from the normal pfSense rules.

    For example, the rules are evaluated from top to bottom.

    If you have a pass rule and the rule is outside of the schedule, the traffic will be BLOCKED regardless
    of pass rules that occur after this rule.

    In these cases you will want to change the pass rule to a block style rule to get the needed functionality.

    I have a blocking rule that blocks youtube and other video websites, now I want to have that blocking rule to apply for specific time. I don't know if the blocking rule is not working or has bugs, but I have tried all of the possible combinations of pass and block rule with this schedule. Can you help me and all of the others that wants to have a step-by-step know how's if this schedule logic is working. Thanks



  • For me the Release 1.2 Version runs with the schedules as it should

    For the first, do you have a 1.2 Version? Place a schedule time on a firewall rule and then make a download of your config.xml and check if you have all needed cron items
    Further Information: http://forum.pfsense.org/index.php/topic,5838.msg42769.html#msg42769

    Regards
    Heiko


Log in to reply