Firewall: how to force drop of existing connections

Hi

I'm using time-based rules like this:

config rule
option weekdays 'Sun Mon Tue Wed Thu'
option src 'lan'
option name 'Desktop offtime: week night'
list src_ip '192.168.188.130'
option dest 'wan'
option target 'REJECT'
option start_time '22:15:00'
option stop_time '07:00:00'

and they seem to be basically working, but I've noticed that although new connections are blocked it seems that existing connections stay up. That's an issue as it doesn't kick my son off of Minecraft!

I found a setting (nf_conntrack_skip_filter) which I think might be related, but it seems to be deprecated or not recommended according to this page:

https://oldwiki.archive.openwrt.org/doc/uci/firewall#nf_conntrack_skip_filter

Does anyone know if that information is current, or if there is a newer/preferred way of doing this?

Thanks

Make sure to reorder firewall rules to properly apply time restrictions, otherwise the default rule order prevents closing already established connections.

1 Like

Ah...that helps a lot, many thanks!

Hi @trendy - I hope you don't mind a follow-up question.

Should I run that script just once, or once after every /etc/config/firewall edit, or regularly as a cron job?

Thanks

1 Like

That's correct.

1 Like

This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.