Firewall Block schedule

Started by Chewwy42, February 28, 2018, 06:42:55 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 28, 2018, 06:42:55 PM
I have a FW block setup to block all traffic to my step daughters phone and PC From 10p-6a, otherwise she would be up all night. Now it does work, sort of.... Issue is that if she is in middle of streaming a movie or video chat, ect. When 10p comes it will not stop here device. Only if she stops will it then block it from that point forward.
Any thoughts on how I can get this to block regardless if there is an already open connection?
February 28, 2018, 08:48:11 PM #1
...I do this on pfsense by a cron rule at 10 pm (in your example) killing all existing states (not only for the IPs of kids devices, as I found this not to work reliably).

Code Select
/sbin/pfctl -F state

Is there cron on opnsense? Dunno

kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
February 28, 2018, 09:30:48 PM #2
I am in the same situation with my son, just now :)

After only 5 days he realized, that 6pm doesn't necessarily mean, that he can't watch f.e. youtube or listen to tidal anymore. He proudly told me today :)

I explained that this is true for all minutes that have already been downloaded by browser/app BEFORE 6pm. And he confirmed "Right Dad, I cannot switch to something new anymore".

Maybe I miss something in regards to "existing states" - although I would expect a scheduling function to clear states automatically - OR the problem is only an "already-in-queue" issue, which can only be managed on OS level of the devices.

March 01, 2018, 05:13:39 PM #3 Last Edit: March 01, 2018, 05:15:18 PM by 3kj2w
try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.
March 01, 2018, 06:31:19 PM #4 Last Edit: March 02, 2018, 07:01:49 PM by Chewwy42
Quote from: 3kj2w on March 01, 2018, 05:13:39 PM
try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

Thanks, just set this up and will see how it goes tonight...
March 02, 2018, 07:02:42 PM #5
Quote from: Chewwy42 on March 01, 2018, 06:31:19 PM
Quote from: 3kj2w on March 01, 2018, 05:13:39 PM
try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

Thanks, just set this up and will see how it goes tonight...

Tried it last night and no go. She was on a video chat @ 10 when I had it set to block and @ 10:05 she was still chatting away!
March 02, 2018, 07:17:02 PM #6
Try to set to 59, the schedules restart at 0,15,30,45 minutes of the hour. It may be a hit and miss.
November 06, 2018, 10:30:31 PM #7
I'm a bit late to this but this seems to work and should be a bit more atomic that scripted things stopping the race between state creation and the block rule.

I have a rule very early on like this

block return in quick on private from <stop> to any

I then cron things like this

pfctl -F states  -t stop -T add 192.168.210.85
3776 states cleared
1/1 addresses added.
November 06, 2018, 10:34:42 PM #8
<stop> being an empty table/alias I have defined
Print
Go Up Pages1
User actions