A few basic questions about features from a NOOB -



  • I have some basic questions that I did try searching for here and Googling but did not get any answers so forgive me if this has been answered. I was not lazy! lol

    Before I go through the trouble of learning and practicing with a VM then building a white box -

    Here are my concerns/questions -

    #1 - If the power goes off and my PFSENSE white box has to be turned back on, does it just boot up and start operating as normal?
    This is for my home and I need simplicity in the event I am gone for a few days. My current router - Netgear R7000 (running a DD-WRT KONG build) - allows the family to just unplug and plug in the device in the event of a lock up, etc.

    #2 - If I block a set of MAC addresses from having internet access from 11PM est to 7am est, will it literally cut that user off at 11pm if they are doing something like Skype or World of Warcraft?
    We have a college student that would WOW till 5am if I let him. I want him to be cut off regardless of what he is doing. DD-WRT seems to be 50/50 with this if I set access restrictions.

    #3 - Is it possible to administrate my PFSENSE router from my LAN or remotely with an Android device or smartphone phone - e.g., my Samsung Galaxy S3 or my Nexus 7 tablet?

    #4 - Finally, and I apologize if this is inappropriate, but does anyone think Sophos UTM Home would be better for my needs?

    My desire is to eventually setup a small, low power white box based on either Kabini or maybe Beema. I am tired of the DD-WRT dance and the weak retail boxes. I plan on making my R7000 into AP only. I would love to run PFSENSE with OPENVPN (I already have and use a provider for VPN) and add some other goodies like Squid/SquidGuard and some others goodies. I am just beginning to learn this.

    If I succeed in this I plan on doing some PFSENSE builds for my clients.

    Thanks in advance for any and all advice.



  • @DownloadDeviant:

    I have some basic questions that I did try searching for here and Googling but did not get any answers so forgive me if this has been answered. I was not lazy! lol

    Before I go through the trouble of learning and practicing with a VM then building a white box -

    Here are my concerns/questions -

    #1 - If the power goes off and my PFSENSE white box has to be turned back on, does it just boot up and start operating as normal?
    This is for my home and I need simplicity in the event I am gone for a few days. My current router - Netgear R7000 (running a DD-WRT KONG build) - allows the family to just unplug and plug in the device in the event of a lock up, etc.

    #2 - If I block a set of MAC addresses from having internet access from 11PM est to 7am est, will it literally cut that user off at 11pm if they are doing something like Skype or World of Warcraft?
    We have a college student that would WOW till 5am if I let him. I want him to be cut off regardless of what he is doing. DD-WRT seems to be 50/50 with this if I set access restrictions.

    #3 - Is it possible to administrate my PFSENSE router from my LAN or remotely with an Android device or smartphone phone - e.g., my Samsung Galaxy S3 or my Nexus 7 tablet?

    #4 - Finally, and I apologize if this is inappropriate, but does anyone think Sophos UTM Home would be better for my needs?

    My desire is to eventually setup a small, low power white box based on either Kabini or maybe Beema. I am tired of the DD-WRT dance and the weak retail boxes. I plan on making my R7000 into AP only. I would love to run PFSENSE with OPENVPN (I already have and use a provider for VPN) and add some other goodies like Squid/SquidGuard and some others goodies. I am just beginning to learn this.

    If I succeed in this I plan on doing some PFSENSE builds for my clients.

    Thanks in advance for any and all advice.

    1. It will boot up and start a repair. You hope it can repair  ;D (I'd recommend an UPS with the NUT-package for example, which will allow pfSense to safely shut down in case of a power problem).

    2. Yes. It is a firewall rule with a time schedule assigned to it. I use it to block all Wifi access during the night. 't Works  ;D

    3. It should be possible: the GUI is reachable from a browser. I doubt it will be comfortable to do it from a small smartphone, 'though. A 27" tablet will probably be nicer  ;D

    (However: I personally don't want to configure my main security wall over WiFi, I do that only wired).

    4. No  8)

    (I have to say this since I am in love with FreeBSD and pfSense for quite some time, and am a donator. To be honest, I have no clue what Sophos is –- and I don't want to know  :P But seriously, there are really so few, few, few, communities on the internet where you will find so many ex-tre-me-ly skilled and kind people who will help in case of problems. The FreeBSD spirit lives in this forum too).

    Bye  :)



  • Thank you kindly for taking the time and giving me full, clear answers.  :D



  • @DownloadDeviant:

    I am tired of […] and the weak retail boxes

    You are most welcome  ;D

    I was in the same boat as you are. I got so tired of all the retail crap - with the buggy firmware and absent 'customer support' who try to insult you on every occassion they can as if it was their hobby - that I concluded I needed something better (I, by the way, not only blame the rather rotten characters over at the 'customer support' department who, mostly, appear to have no ambition in life to become good in anything except for getting to the 5 o'clock bell with as little effort as possible; I also blame the 'managers' who suffer from the same disease and hired these people).

    I am an economist by education and occupation, but started 'puters in the '80's (yes, I am old  ;D ). I got to know FreeBSD somewhere in the middle/late '90's, and it was the first OS I couldn't crash within 15 minutes after install ( ;D ;D ;D ). So naturally, when I discovered pfSense is based on FreeBSD I was lost.

    And now I have dual WAN failover, traffic shaping, VLAN's, Radius-enterprise, Snort, Squid/Squidguard, and so on and so on. Thanks to the great FreeBSD developers, the great pfSense developers, and the great user community in which so many people have helped me with so much patience over the past year. This, really, is a FreeBSD spirit  :-*

    Since you are new as I was not so long ago, I could give you three more advices:

    • Do your own research before you ask questions and tell where you are stuck: the price you pay for getting support from some of the greatest talents in this rock-solid OS is: you can't expect to get things for free. You will pay with your own time; people will step in to help if they know where you are stuck, once you've done your own work to the best of your abilities.
    • Donate. To the cause (pfSense is given for free; this site, and the maintenance work on pfSense isn't; somebody is paying for it with his/her time), but perhaps also to members that have helped you (there is one member in here who has helped me ever since my first install, patiently and unselfish, who, to this very date, still refuses me to buy him a coffee via a paypal-donation. I trust I will get there someday  8) ).
    • Say thanks to people who help you (as you did). I see many posts on this fine forum where people ask questions, some of the great experts jump in and give advise, and then: nothing. Not a single thanks. I think that is rude. When you get something for free, pfSense and the advise from the heavy people in here, the least you could do is: say 'thank you very much'. Because they don't have to do it, they might as well go out fishing, taking a walk, or watching Oprah.

    Bye & good luck  ;D


  • LAYER 8 Global Moderator

    To add to the great responses from Hollander

    #1 You will most likely find there should not be very many instances of having to pull the plug on pfsense, unlike your off the shelf soho router.  Nor would I suggest you just pull the plug.  Having a ups good advice to make sure power outages don't just cause abrupt outage.  If something stops working - checking for why on pfsense is more likely then with simple soho router interfaces.  If something goes wrong and you can not figure it out, then controlled reboot is a better option then just pulling the power.

    That being said - I can not recall ever having to reboot pfsense because something wasn't working ;)

    #2 While its possible to create timed firewall rules - you can run into a setup where the session is already active and working beyond your schedule..  You might want to schedule a reset of the firewall states for when your firewall rules change based upon time.

    #3 While yes it is possible to allow access to the pfsense web gui from any interface - common security practices would say you wouldn't want to allow from the public internet - and even wireless might not be good idea.  Wireless is quite often a vector of attack vs wired, so as mentioned you might want to limit firewall access to only from wired connections.  But if your ok with the security implications - then sure you can allow access to the gui from anywhere you want from any device that can run a browser.

    #4 You have not hinted at any features that pfsense can not do that some other UTM could - no matter what the branding of it.  So impossible to say if X would be better suited for you vs pfsense.



  • @#2: I would be very pleased to read here a little how-to for crating a cron-job  to reset the states. Pleaaaaaaaaaaase!  :)


  • LAYER 8 Global Moderator

    I believe if your running current version this is the default function now.. unless under misc you enabled this checkbox

    "By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections. "

    I would suggest test it before assuming it works is all.



  • @Hollander:

    there are really so few, few, few, communities on the internet where you will find so many ex-tre-me-ly skilled and kind people who will help in case of problems. The FreeBSD spirit lives in this forum too).

    I haven't been here long, but I can vouch for that.  This forum has helped me a lot.

    10-15 years ago, I was building Freesco boxes for friends and family for dialup.  I guess I got lazy when broadband and wifi got common and used off the shelf.

    I now can't imagine using a cheap, commercial router for anything other than an AP.



  • @johnpoz:

    I believe if your running current version this is the default function now.. unless under misc you enabled this checkbox

    "By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections. "

    I would suggest test it before assuming it works is all.

    Found it in Advanced/Misc! I will have a loock ath the states the coming evenings and come back with results… Many thanks!



  • Yesterday evening: 08:00 the Schedule closed down the internet for some users, at 08:38 the states of at least one of those users were still present (e.g. browser session). :-\



  • Sorry for the delayed response. Got a ton of stuff on my plate and so little time to manage it. Ughh.

    @Holander - Yes, yes, yes and yes. LOL Couldn't agree with you more. I am an IT guy since Windows 95 and been running my own small biz IT shop for 14 tears…err, I mean years now. Never fooled with my own router though. Was tempted a few times but never did. For my clients, it was important to not monkey around so hardware appliances were the best route and for now I will keep it that way until I gain mad skillz with pfSense. lol I don't know Linux. I never run into it, never have clients ask about it, never needed to. My little pond is basically Windows, Windows, Windows...which is easier on me because I can focus on just that. But for me, pfSense is going to happen and then I am going to play with FreeNAS next year.

    @johnpoz:

    #2 While its possible to create timed firewall rules - you can run into a setup where the session is already active and working beyond your schedule..  You might want to schedule a reset of the firewall states for when your firewall rules change based upon time.

    #3 While yes it is possible to allow access to the pfsense web gui from any interface - common security practices would say you wouldn't want to allow from the public internet - and even wireless might not be good idea.  Wireless is quite often a vector of attack vs wired, so as mentioned you might want to limit firewall access to only from wired connections.  But if your ok with the security implications - then sure you can allow access to the gui from anywhere you want from any device that can run a browser.

    For #2 -
    BINGO! That is what I was concerned about! As long as it is possible to resolve through a reset, I will be happy. I will do my research and learn how and test it.

    For #3 -
    I just wanted to know for the sake that if I was watching TV and could quickly check or reset something, etc. from my Android phone or tablet, that would be nice. I also have my Win 7 laptop and could admin it via Wifi or LAN as well but a quick flip of the smartphone would be sweet. lol

    @johnpoz:

    I believe if your running current version this is the default function now.. unless under misc you enabled this checkbox

    "By default schedules clear the states of existing connections when the expiration time has come. This option overrides that behavior by not clearing states for existing connections. "

    I would suggest test it before assuming it works is all.

    Nice!!!!!!!!!!

    @chemlud:

    Yesterday evening: 08:00 the Schedule closed down the internet for some users, at 08:38 the states of at least one of those users were still present (e.g. browser session). :-\

    OH NO! My fears return! lol

    I was thinking of doing a Kabini build but since I am in no rush (just bought a Netgear R7000 3 months ago and this thing is handling everything I throw at it with DD-WRT KONG on it) I might wait to see if AMD puts Beema on a desktop socket! Would so love to build a box with that 10-15W TDP instead of 25W Kabini. I am sure there will be some kind of announcement in the next 60-90 days. ANd that is time for me to play with pfSense under VMWARE in my lab anyway.


  • Netgate Administrator

    If you are looking at a low power embedded build then consider booting from flash using the nanobsd images. Since they run almost entirely from RAM there isn't really an issue with unexpected shutdown. I pull the plug on home box without worrying at all.

    Also…
    @DownloadDeviant:

    I don't know Linux. I never run into it, never have clients ask about it, never needed to.

    ..before anyone else gets in, pfSense is built on FreeBSD. FreeBSD in not Linux.  ;) But it is quite similar and since you know neither it makes no odds!

    Steve



  • @stephenw10

    That was one of the things I was looking to investigate and learn about. I assumed that would be my best route. Now, I am a NOOB so I have not had a chance yet to research much but I figured either just a big old 8,16, or even 32GB USB flash drive or CF card would be fine. I even have an older Patriot 60GB Inferno SSD laying around collecting dust.

    But I also have to figure out what other packages I will be running. I use a VPN service so OpenVPN, I also thought Squid/SquidGuard might be good. I don't know what else I will want to install or try but cannot imagine it would go beyond a 16GB USB drive.


  • LAYER 8 Global Moderator

    Ok to answer your question about killing states.  See my below example.

    I listed the states for my workstation at home (I am vpn'd in currentl)..  so see lots of states, I xxx'd out my public IP.  I then killed the states for that 192.168.1.100 IP and it killed 18 states.. See when look at states for that IP none listed.  Red arrow, then look again and 1 state, then look again a few seconds later I see more states.

    So the command pfctl -k IPaddress could be setup to run when after your schedule kicks in to kill kids sessions.  Or you could issue a pfctl -f state

    Which would kill all states - if possible target just his IP.. so doesn't break your connections.




  • To quote Daffy Duck - "Juh-rool, Juh-rool!"  ;D lol As in Drool Drool.

    My mouth is watering just thinking about that running every single night, shutting things down and letting me relax!!!!!!!!!!

    I think that works perfectly with my plan which was to basically lock things and allowing only specific devices by MAC address in general, then setting the time limit to his IP or MAC. Then that command could be run and it would leave everything else alone. Right now I have my DD-WRT config'd to shut off his access at 11pm and reboot at 11:01PM. But, as I have said, it is a 50/50 thing. Sometimes it works and sometimes he still can connect. Can't wait to kick his ass out in 3 more years…lol



  • How tech savvy is your kid? If it were me, I'd be running it against his MAC. At the least, most kids nowadays know how to change an IP address :P That can be spoofed as well, which returns to my original question, how tech savvy?



  • @johnpoz:

    Ok to answer your question about killing states.  See my below example.

    I listed the states for my workstation at home (I am vpn'd in currentl)..  so see lots of states, I xxx'd out my public IP.  I then killed the states for that 192.168.1.100 IP and it killed 18 states.. See when look at states for that IP none listed.  Red arrow, then look again and 1 state, then look again a few seconds later I see more states.

    I added to the Cron tab two jobs for two different IPs:

    Should work every 08:05 pm, huh? :-) I will monitor this…



  • @johnpoz:

    Ok to answer your question about killing states.  See my below example.

    I listed the states for my workstation at home (I am vpn'd in currentl)..  so see lots of states, I xxx'd out my public IP.  I then killed the states for that 192.168.1.100 IP and it killed 18 states.. See when look at states for that IP none listed.  Red arrow, then look again and 1 state, then look again a few seconds later I see more states.

    So the command pfctl -k IPaddress could be setup to run when after your schedule kicks in to kill kids sessions.  Or you could issue a pfctl -f state

    Which would kill all states - if possible target just his IP.. so doesn't break your connections.

    Useful, John, thank you for this suggestion  ;D

    But, as always, I don't understand it: you first kill the states, then they are re-restablished by the system, then you have to kill them again via a cronjob? But won't they be established again then?

    Or more fundamentally: shouldnt the firewall schedule take care of this automatically? As in:  this is not a bug, it is a feature'? ( ;D )



  • @Hollander:

    Useful, John, thank you for this suggestion  ;D

    But, as always, I don't understand it: you first kill the states, then they are re-restablished by the system, then you have to kill them again via a cronjob? But won't they be established again then?

    Or more fundamentally: shouldnt the firewall schedule take care of this automatically? As in:  this is not a bug, it is a feature'? ( ;D )

    If you kill the states after a scheduled "end of internet access" the states can't be re-established…


  • LAYER 8 Global Moderator

    yeah mine was just an example of the command, I don't have any firewall rules blocking access on a schedule.  Just showing that I killed them, and they show all gone.  Then sure they will try and reconnect.  But in the posters case his new scheduled rule will prevent them from being created.



  • @l3lu3:

    How tech savvy is your kid? If it were me, I'd be running it against his MAC. At the least, most kids nowadays know how to change an IP address :P That can be spoofed as well, which returns to my original question, how tech savvy?

    My thought as well. By extension, the MAC address can often be changed too. You may have better success in a small network by blocking all network traffic EXCEPT the devices that you specifically want to allow during your restricted hours.



  • Thank you John and Chemlud  ;D

    It would have been perfect if, on using the schedules, functionality had been built in to kill states for that rule automatically, but this workaround will work too.

    @cneep:

    @l3lu3:

    How tech savvy is your kid? If it were me, I'd be running it against his MAC. At the least, most kids nowadays know how to change an IP address :P That can be spoofed as well, which returns to my original question, how tech savvy?

    My thought as well. By extension, the MAC address can often be changed too. You may have better success in a small network by blocking all network traffic EXCEPT the devices that you specifically want to allow during your restricted hours.

    Is it that easy to spoof your LAN-ip adress, from, say, Win7? For even kids?

    :o

    A partial workaround might be static IP with  deny unknown clients' on the DHCP-server(?) Of course, that also hardly is 100% fool proof, as kid might simply scan the LAN and take ip of parent (provided parent isn't online).



  • @Hollander:

    Is it that easy to spoof your LAN-ip adress, from, say, Win7? For even kids?

    :o

    All it takes is access to the device manager where the settings for the network adapter device offers you a field where you can enter the MAC address you want to use instead of the pre-programmed one.


  • Netgate Administrator

    @Hollander:

    For even kids?

    Especially for kids! They don't know it might be or should be difficult so they poke around until intil it's done. They've never known a computer that wasn't on the internet or a firewall that couldn't be eventually broken. Also they probably have a lot of friends who are also learning about this stuff and there's literally thousands of pages on the web explaining how to do it. Safer to assume kids know more than you!  ;)

    Steve



  • @stephenw10:

    Especially for kids! …

    DHCP, with static mapping based on MAC, with "deny unknown clients", with static ARP. What would be the work-around to get internet access? :-\

    EDIT: Cron job for killing states works apparently fine! However, it looks as if states for one of the users were already killed when the firewall went to "BLOCK"… strange...


  • Netgate Administrator

    I'm not saying that it's impossible to lock down a computer to prevent 'unauthorised' internet access. It's easy enough to put a security policy on a Windows box to prevent users changing the MAC but how many home computers have that?
    I'm just saying that most computer literate school age children have probably come up against some sort of web/connection filter at some point and those who are minded to do so have probably looked into ways to get around it. Someone they are friends with will have suggested finding the MAC of a local authorised machine from the ARP table and changing your MAC to it. That friend will then gain popularity for doing so. Everybody wins. Except the network admin/parents!

    It would be a mistake to assume that just because users are children they will not be familiar with basic networking. It's in their interests to keep you thinking they aren't.  ;)

    Steve



  • @chemlud:

    DHCP, with static mapping based on MAC, with "deny unknown clients", with static ARP. What would be the work-around to get internet access? :-\

    Exactly what my thinking was and then running the CRON jobs. I am even thinking of VLAN-ing him to keep him completely separate and isolated. I already have him setup on a guest wifi network that is isolated from us. So, now I guess I have to buy a smart or managed switch. The $$$$ keeps flying away! lol

    Kind of how it is setup on my DD-WRT router. Again, DD-WRT itself is 50/50 reliable and then there are fixes and new versions and then what was working doesn't work any more. lol I have a love/hate relationship with it. lol

    @stephenw10:

    I'm not saying that it's impossible to lock down a computer to prevent 'unauthorised' internet access. It's easy enough to put a security policy on a Windows box to prevent users changing the MAC but how many home computers have that?
    I'm just saying that most computer literate school age children have probably come up against some sort of web/connection filter at some point and those who are minded to do so have probably looked into ways to get around it. Someone they are friends with will have suggested finding the MAC of a local authorised machine from the ARP table and changing your MAC to it. That friend will then gain popularity for doing so. Everybody wins. Except the network admin/parents!

    It would be a mistake to assume that just because users are children they will not be familiar with basic networking. It's in their interests to keep you thinking they aren't.  ;)

    Steve

    Uhhhhh, YEP! lol Been through this. Trust me I am so freaking glad he is 19 now. From the time he was 14 it was a total battle royal. The parental software out there is a joke - Net Nanny, etc., I tried them all! The kids go to forums or chat and learn from each other how to hack it and bypass it. And the sw companies move like molasses when it comes to fixing their bugs. I spent 3 solid months playing email ping pong with Net Nanny actually helping them fix their own darn bugs and I just had had enough. By the time he was 17, I had to go to the extreme level. I literally had the machine locked down and frozen with Deep Freeze by Faronics with only his game folders and a homework folder on a separate isolated HD being the only things on his PC that he could alter. And it worked too! He was so pissed you could see the hate! lol I even had the BIOS locked with a password too.

    So now he is a 19 yr old college freshman about to become a sophomore and a full summer ahead of him and I am not going to deal with him PCing into the wee small hours. I will pull the router plug out if I have to and that is in a steel locked cabinet that he definitely can't get to. lol Hence, why I drool over something rock solid and automated to save me the stress.


  • Netgate Administrator

    Agreed, a separate interface is the way go for real security.
    Then put a super cheap switch between the router and the hostile machine. Power that switch from via timer. Done!  ;)

    Steve



  • @chemlud:

    @Hollander:

    Useful, John, thank you for this suggestion  ;D

    But, as always, I don't understand it: you first kill the states, then they are re-restablished by the system, then you have to kill them again via a cronjob? But won't they be established again then?

    Or more fundamentally: shouldnt the firewall schedule take care of this automatically? As in:  this is not a bug, it is a feature'? ( ;D )

    If you kill the states after a scheduled "end of internet access" the states can't be re-established…

    Lately I checked for states after "end of internet" and after the subsequent Cron job to kill all states and found for one of the IPs active states 1.5 hours after the end of internet… How can that happen?  :o

    I would like to monitor the states via email report, but unfortunately there is no log for the states and I don't know the command to be executed to post the current states of the box.... Can anybody help me out, please?  :)


  • LAYER 8 Global Moderator

    I showed you the command to list states for an IP, or all of them pfctl -ss

    You may need to kill both sides of the state..  When you kill the states, what do you show with the -ss for your host your worried about?  You may need to use the -k twice, etc.

    I would suggest you read the man on pfctl, I would of assumed that would of been step one after I gave the command example ;)

    http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8

    NAME
        pfctl - control the packet filter (PF) device

    SYNOPSIS
        pfctl [-deghnPqrvz] [-a anchor] [-D macro=value] [-F modifier] [-f file]
              [-i interface] [-K host | network] [-k host | network | label | id]
              [-L statefile] [-o level] [-p device] [-S statefile]
              [-s modifier [-R id]] [-t table -T command [address …]]
              [-x level]



  • Yess, I must confess I started with Linux/BSD last fall, so I'm far from pro… Should invest a little more time, but currently it is a little bit too much around here. I'll do my very best  :D


  • LAYER 8 Global Moderator

    Huh?  From your title of the thread we understand your not a pro ;)

    Given a command, with examples that showed listing of states doesn't seem too far reaching to think the person with the interest the function would breeze over the doc for the command given..

    I would think the same thing be it a linux/bsd command or a windows cmd..  If I say told you to release your dhcp lease you could use ipconfig /releaseall

    Wouldn't you look up the command ipconfig?  Not like gave you example pfctl and then expected you to recompile your kernel ;)



  • cough I didn't start this thread, I actually hijacked it. cough, cough  ::)

    … but the pfctl does nicely what it is supposed to do with the mail report. Unfortunately the mail report allows eMails only at full hours (no minutes to be added to the job...). (edit: me idi**, found the jobs in Cron to edit the time of execution  ;)). However, very nice indeed!

    And I compiled my kernel with the router at the same time :P



  • It's absolutely fascinating:

    20:00 firewall turns off internet (block rule all IPs and all ports with schedule)
    20:02 all states are gone (pfctl -ss | grep <ip>via mail report, and checked by hand)

    however, as pidgin, thunderbird and firefox are still open on this particular computer:

    20:04 states (more than a dozen) to google (993) and to one of these infamous game servers (443) are up again (in both directions):

    re2 tcp 74.125.136.16:993 <- 10.xxx.xxx.xxx:38268      ESTABLISHED:ESTABLISHED
    re1 tcp 10.xxx.xxx.xxx:38268 -> 83.xxx.xxx.xxx:40101 -> 74.125.136.16:993      ESTABLISHED:ESTABLISHED

    or

    re2 tcp 216.66.6.120:443 <- 10.xxx.xxx.xxx:37596      ESTABLISHED:ESTABLISHED
    re1 tcp 10.xxx.xxx.xxx:37596 -> 83.xxx.xxx.xxx:44266 -> 216.66.6.120:443      ESTABLISHED:ESTABLISHED

    …for example...

    The Cron job to kill all states for this particular local IP doesn't change anything, all states present (again?) 5 minutes after the pfctl -k <ip>command.

    Only killing each and every state at once apparently really ends the game(s), so to say.</ip></ip>



  • @johnpoz:

    …  Or you could issue a pfctl -f state

    Which would kill all states - if possible target just his IP.. so doesn't break your connections.

    Actually, the correct command to kill all states is

    pfctl -F state

    (there is an error at the man page for pfctl at openBSD, there it is "states", which actually doesn't work… :-D )

    http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8


  • Netgate Administrator

    The pf in FreeBSD has moved significantly away from that in OpenBSD. Also the pf in pfSense is different to that in the base FreeBSD version so even this page may not be entirely correct. But, yes 'F' appears correct.  :)

    Steve



  • I found the easiest way to avoid all the hassle with killed connections and existing states etc was to take the other approach.

    make an alias for IP addresses you want to block called blocked
    make a schedule for the hours you want it to work named limits

    Firewall rules, LAN tab,
    first rule is the antilockout rule
    second rule says when the controlled devices ARE allowed on,
    allow source blocked  schedule limits
    third rule is
    allow source!blocked

    works very well.

    PS its trivial to get an app to change the mac address, so its not exactly fullproof.  I told my kid that its his reminder , not designed to be full proof.



  • …today I found some states (I think it was one of these game IPs) 1.5 hours after the block kicked in and a subsequent pfctl -F state.

    I don't believe any longer in any of those firewalls, rules, whatsoever. An open browser is apparently enough to restart the states, no idea how that works...



  • Try what I do.  I know it works because right on the hour, he walks out of his room and gets a snack every day.  If the game he was playing was still working, he would be still in there!.


  • LAYER 8 Global Moderator

    "1.5 hours after the block kicked in and a subsequent pfctl -F state."

    Your sure your command ran and cleared the states?  If pfctl -f or -F, clears the states and your rules don't allow traffic then something is clearly not right in the rules or the states were not cleared would be my guess.


Log in to reply