Blocking connection on time range

po220 · August 25, 2023, 8:23pm

Hello

I want to block internet on a network on time range.
I tested with

config rule
 	option target 'REJECT'
 	option start_time '09:00:00'
 	option stop_time '11:30:00'
 	option name 'test'
 	option src 'Tutu'
 	option dest 'wan'
 	list proto 'all

The problem is that it does not block connections that are already open, for example Discord or Thunderbird continue to receive messages until they are closed.

how can i block everything?

Thanks

frollic · August 25, 2023, 8:24pm

Force a disconnect.

po220 · August 25, 2023, 8:49pm

how can i do that?
I don't find option for the rule

NPeca75 · August 26, 2023, 3:59am

Hi

one option is to reboot router after firewall rule change

/etc/crontabs/root 

00 09 * * *  touch /etc/banner && sleep 70 && reboot
30 11 * * *  touch /etc/banner && sleep 70 && reboot

egc · August 26, 2023, 6:13am

On another third party firmware this kind of problems was related to flow off loading.

If you have this enabled it will have your connection go outside the firewall, not sure if this is true for OpenWRT.

But if you have flow off loading enabled you could test if your rule works after disabling flow off loading.

vgaetera · August 27, 2023, 11:24am

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/dns_ipset#established_connections

dave14305 · August 27, 2023, 11:58am

You can also flush the conntrack table after the rule takes effect by running:

echo f >/proc/net/nf_conntrack

This should force all existing connections to be re-evaluated by the firewall rules. If flow offloading is active, it might not work perfectly.

po220 · August 28, 2023, 7:51am

Looks great but at this point I don't understand what it does or where to put it.

I'm trying to understand the vocabulary elements already...

vgaetera · August 28, 2023, 8:01am

Connect to OpenWrt with SSH and copy-paste the block of code to the terminal as is.

po220 · August 28, 2023, 8:32am

This changes the behavior of the firewall, isn't it just a rule that must be reapplied to each time period?

vgaetera · August 28, 2023, 9:39am

OpenWrt firewall relies on connection tracking to allow established/related connections using a built-in rule that is problematic to disable by normal means.

po220 · September 3, 2023, 9:10am

I can't figure out this scrypt that goes too deep into how the router works, I can't afford to use that.

I tried other things (with cron rather than with firewall rules)

00 09 * * * ifdown InterfaceName
30 11 * * * ifup InterfaceName

It works well but it's too violent, I no longer have access to the router while the interface is stopped...

I tried other things (with change of internet gateway)

50 10 * * * uci set network.InterfaceName.ipaddr="0.0.0.0"; uci commit network; InterfaceName restart
55 10 * * * uci set network.InterfaceName.ipaddr="192.168.1.1"; uci commit network; InterfaceName restart

But it doesn't work, I can't understand the uci commands

how can i change the internet gateway with crontab?

Thanks

vgaetera · September 3, 2023, 9:23am

The script reorders the rules like this:

# Before
> nft list chain inet fw4 forward
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		jump handle_reject
	}
}

# After
> nft list chain inet fw4 forward
table inet fw4 {
	chain forward {
		type filter hook forward priority filter; policy drop;
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
		iifname "eth0" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
		jump handle_reject
	}
}

This makes established connections to follow the time restrictions.
Now you know and can use it.

po220 · September 3, 2023, 12:43pm

There I see better but I can't find it. Where can we find these rules (before/after) in the router?

And why isn't it like that by default?

ps: I'm still interested in knowing how to make a Uci command to change network file

vgaetera · September 3, 2023, 12:54pm

Check the output:

nft list chain inet fw4 forward

The way it works by default can process rules a bit faster in theory.
However, in practice the difference should be negligible to the point of none.

po220 · September 3, 2023, 1:01pm

Isn't there a file where all this is stored? (don't find in backup)

krazeh · September 3, 2023, 1:19pm

The firewall rules are dynamically created from the config in /etc/config/firewall when the firewall service (re)starts. So no, there is no file with all the rules in.

You can view all the current rules by running 'nft list ruleset' at the command line.