Firewall: how to force drop of existing connections

plummet · February 6, 2021, 7:17pm

Hi

I'm using time-based rules like this:

config rule
option weekdays 'Sun Mon Tue Wed Thu'
option src 'lan'
option name 'Desktop offtime: week night'
list src_ip '192.168.188.130'
option dest 'wan'
option target 'REJECT'
option start_time '22:15:00'
option stop_time '07:00:00'

and they seem to be basically working, but I've noticed that although new connections are blocked it seems that existing connections stay up. That's an issue as it doesn't kick my son off of Minecraft!

I found a setting (nf_conntrack_skip_filter) which I think might be related, but it seems to be deprecated or not recommended according to this page:

https://oldwiki.archive.openwrt.org/doc/uci/firewall#nf_conntrack_skip_filter

Does anyone know if that information is current, or if there is a newer/preferred way of doing this?

Thanks

trendy · February 6, 2021, 7:21pm

Make sure to reorder firewall rules to properly apply time restrictions, otherwise the default rule order prevents closing already established connections.

plummet · February 6, 2021, 7:50pm

Ah...that helps a lot, many thanks!

plummet · February 7, 2021, 7:16pm

Hi @trendy - I hope you don't mind a follow-up question.

Should I run that script just once, or once after every /etc/config/firewall edit, or regularly as a cron job?

Thanks

vgaetera · February 7, 2021, 7:24pm

That's correct.

system · February 16, 2021, 7:51pm

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.