Schedule Based Firewall Rules

Started by PWCDC, February 21, 2021, 05:52:58 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 21, 2021, 05:52:58 PM
What is the current recommended way to set up scheduled firewall rules for blocking specific clients from internet?

I've found a few threads on this forum, but they are quite old and trying the recommendations doesn't work entirely. For instance, simply setting a scheduled block rule in the floating rules is effective, but won't kill existing connections.

I have the schedule and the alias' set up the way I want them, and they appear to work. The only quirk is terminating existing connections. Is there a trick I'm missing?
February 21, 2021, 06:12:58 PM #1
Strange enough we had a thread quite recently, which I can't find anymore (and not my posts either...).

I use scheduled block rules and run cron jobs to kill all (!) states the minute after the block becomes effective. In the recent thread a user described scheduled allow rules, which apparently worked iirc, but no way to confirm. :-(
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 23, 2021, 05:57:20 PM #2
Hmm.

I don't see that as an option in the Cron dropdown.

Is there a way to invert schedules? I had thought about using two rules: one to allow, based on a schedule, and then another to block based on the same schedule. The problem is I would have to create redundant schedules for each block and pas rule. Seems awkward.
February 23, 2021, 06:07:25 PM #3 Last Edit: February 23, 2021, 06:09:13 PM by chemlud
It's a little more complicated.

https://forum.opnsense.org/index.php?topic=10740.msg49334#msg49334

:-)

Still don't understand why the thread from December 2020 (or so) is not there anymore...

only found this one

https://forum.opnsense.org/index.php?topic=13256.0
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
March 03, 2021, 12:11:27 PM #4 Last Edit: March 03, 2021, 12:20:07 PM by Atomical
Hi PWCDC,

I have set mine up to block the kids internet access at certain times..

Create a schedule to allow times that you want to allow internet traffic.
(Here's mine currently)
https://ibb.co/Jz1z3Q1

Now go to your LAN firewall rules and create a block internet rule for the IP addresses you want to restrict.. Then add an allow rule for the same IP addresses and add the schedule for this..
Make sure you add this to the Lan Net
https://ibb.co/SBqH9CX
Make sure you add your schedule to this (not shown in the screenshot)

https://ibb.co/6rKHpNX

As chemlud say's its a stated firewall so the rule doesn't kick in dead on the time you allow but the minute later.

So if you have a cut off say 21:59hrs it will stop at 22:00hrs

@chemlud, i think it was my post you was talking about but it didn't work correctly the way I originally had it as the connections stayed active slightly until I changed it to this method. Now connections drop and dont access or ping any internet connections at all.


Print
Go Up Pages1
User actions