Blocking connection on time range

Hello

I want to block internet on a network on time range.
I tested with

config rule
 	option target 'REJECT'
 	option start_time '09:00:00'
 	option stop_time '11:30:00'
 	option name 'test'
 	option src 'Tutu'
 	option dest 'wan'
 	list proto 'all

The problem is that it does not block connections that are already open, for example Discord or Thunderbird continue to receive messages until they are closed.

how can i block everything?

Thanks

1 Like

Force a disconnect.

how can i do that?
I don't find option for the rule

Hi

one option is to reboot router after firewall rule change

/etc/crontabs/root 

00 09 * * *  touch /etc/banner && sleep 70 && reboot
30 11 * * *  touch /etc/banner && sleep 70 && reboot

On another third party firmware this kind of problems was related to flow off loading.

If you have this enabled it will have your connection go outside the firewall, not sure if this is true for OpenWRT.

But if you have flow off loading enabled you could test if your rule works after disabling flow off loading.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections

2 Likes

You can also flush the conntrack table after the rule takes effect by running:

echo f >/proc/net/nf_conntrack

This should force all existing connections to be re-evaluated by the firewall rules. If flow offloading is active, it might not work perfectly.

Looks great but at this point I don't understand what it does or where to put it.

I'm trying to understand the vocabulary elements already...

Connect to OpenWrt with SSH and copy-paste the block of code to the terminal as is.

This changes the behavior of the firewall, isn't it just a rule that must be reapplied to each time period?

OpenWrt firewall relies on connection tracking to allow established/related connections using a built-in rule that is problematic to disable by normal means.

I can't figure out this scrypt that goes too deep into how the router works, I can't afford to use that.

I tried other things (with cron rather than with firewall rules)

00 09 * * * ifdown InterfaceName
30 11 * * * ifup InterfaceName

It works well but it's too violent, I no longer have access to the router while the interface is stopped...

I tried other things (with change of internet gateway)

50 10 * * * uci set network.InterfaceName.ipaddr="0.0.0.0"; uci commit network; InterfaceName restart
55 10 * * * uci set network.InterfaceName.ipaddr="192.168.1.1"; uci commit network; InterfaceName restart

But it doesn't work, I can't understand the uci commands

how can i change the internet gateway with crontab?

Thanks

The script reorders the rules like this:

# Before
> nft list chain inet fw4 forward
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		jump handle_reject
	}
}

# After
> nft list chain inet fw4 forward
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		jump handle_reject
	}
}

This makes established connections to follow the time restrictions.
Now you know and can use it.

5 Likes

There I see better but I can't find it. Where can we find these rules (before/after) in the router?

And why isn't it like that by default?

ps: I'm still interested in knowing how to make a Uci command to change network file

Check the output:

nft list chain inet fw4 forward

The way it works by default can process rules a bit faster in theory.
However, in practice the difference should be negligible to the point of none.

2 Likes

Isn't there a file where all this is stored? (don't find in backup)

The firewall rules are dynamically created from the config in /etc/config/firewall when the firewall service (re)starts. So no, there is no file with all the rules in.

You can view all the current rules by running 'nft list ruleset' at the command line.

2 Likes

Is this the correct procedure for uninstall?

rm /etc/nftables.d/estab.sh
uci -q delete firewall.estab
uci commit firewall
service firewall restart