Schedules for rules, want to reset states just before blocking
-
My goal is to block outbound internet access for a particular group of devices at night, and allow during the day. Based on how the deny rules work when on a schedule, an existing connection will be maintained once the deny rule goes into effect. To get around this, I am going to use an "allow" schedule that ends just as the "deny" schedule begins. When the "allow" schedule and rule end, it should reset the firewall states, killing the connections, at which point the "deny" rule keeps any new connections from being made.
I have a few questions about this setup:
1. Is there an easier way to accomplish this?
2. Should the "allow" schedule overlap the "deny" schedule and will this be OK. For example, the allow ends at 22:00, can the deny also start at 22:00 or will this cause conflict?
3. With a schedule, when you have it set to end at :59 does that mean the last possible second before the next hour, or does it mean more like :59:00? This may affect the answer to question #2. -
After a bit of testing I have discovered the following: a schedule ending in :59 will end as soon as the clock hits :59, For example a schedule set to start or stop at 22:59 will be 22:59:00 and not 22:59:59. For what I am trying to do, this introduces a complication. I want a blocking schedule that goes from 10pm until 6am. The closest I can seem to get is to add two times to one schedule. One time goes 22:00-23:59 and another time goes 00:00-6:00. The problem is that this leaves a one minute gap, during which time the affected devices can reconnect to services. Since existing connections are maintained, anything that reconnected during this gap now stays connected.
Any ideas to get around this? Is there another way to block internet access for only some devices based on an access schedule?
-
Two rules:
1. Allow from 6:00-22:00
2. Block rule underneath to match the same traffic with no scheduleWhen the schedule expires it acts like the scheduled rule does not exist and hits the block rule instead.
-
Two rules:
1. Allow from 6:00-22:00
2. Block rule underneath to match the same traffic with no scheduleWhen the schedule expires it acts like the scheduled rule does not exist and hits the block rule instead.
Thanks. I did some further reading here on the forums and read about just using an "Allow" schedule and disabling the default "allow any" LAN rules. This way the allow schedule for the specified devices expires, and the states are reset. I am testing that out now. I have the Allow schedule tied to an alias of specified devices, disabled the default "allow any" LAN rules, and created a new "allow any" LAN rule that uses an inverse selection (NOT the alias list). Now that I have read a little about doing things this way, it makes sense. I'll see how this works.
There is still the scheduling gap issue, if you want a schedule to span midnight. An Allow schedule would have to stop at 23:59 and start again at 0:00, which leaves a one minute gap. For my particular situation this isn't a big deal, but I could see it being an issue under certain circumstances.