Firewall Block schedule

[Chewwy42]

I have a FW block setup to block all traffic to my step daughters phone and PC From 10p-6a, otherwise she would be up all night. Now it does work, sort of.... Issue is that if she is in middle of streaming a movie or video chat, ect. When 10p comes it will not stop here device. Only if she stops will it then block it from that point forward.
Any thoughts on how I can get this to block regardless if there is an already open connection?

[chemlud]

...I do this on pfsense by a cron rule at 10 pm (in your example) killing all existing states (not only for the IPs of kids devices, as I found this not to work reliably).

Code: [Select]

/sbin/pfctl -F state
Is there cron on opnsense? Dunno

[you]

I am in the same situation with my son, just now

After only 5 days he realized, that 6pm doesn't necessarily mean, that he can't watch f.e. youtube or listen to tidal anymore. He proudly told me today

I explained that this is true for all minutes that have already been downloaded by browser/app BEFORE 6pm. And he confirmed "Right Dad, I cannot switch to something new anymore".

Maybe I miss something in regards to "existing states" - although I would expect a scheduling function to clear states automatically - OR the problem is only an "already-in-queue" issue, which can only be managed on OS level of the devices.

[3kj2w]

try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

[Chewwy42]

try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

Thanks, just set this up and will see how it goes tonight...

[Chewwy42]

try to do this using 2 rules:
first: allow rule for that alias ip for scheduled time defined.
second: block rule for that alias ip all the time.

when first rule is not active traffic will be dropped for that IP regardless of connection state.

p.s. in my case I allow traffic to private LANs all the time.

Thanks, just set this up and will see how it goes tonight...

Tried it last night and no go. She was on a video chat @ 10 when I had it set to block and @ 10:05 she was still chatting away!

[franco]

Try to set to 59, the schedules restart at 0,15,30,45 minutes of the hour. It may be a hit and miss.

[krad]

I'm a bit late to this but this seems to work and should be a bit more atomic that scripted things stopping the race between state creation and the block rule.

I have a rule very early on like this

block return in quick on private from <stop> to any

I then cron things like this

pfctl -F states  -t stop -T add 192.168.210.85
3776 states cleared
1/1 addresses added.

[krad]

<stop> being an empty table/alias I have defined