Scheduling the enabling of a firewall rule?

I have a handful of firewall rules that I would like to be automatically enabled at a certain time of day (to block devices from the internet at bedtime), but I would like for them to be manually tuned on/off at will, just at a certain time (22:00) the rules are enabled no matter what their current status is.
Is there a way to do that from a cron file?
I found some info in the wiki, but it appears to be completely creating the rule from scratch, I just want to set this rule to be enabled at 22:00 every day.

Thanks

Aaron Z

See this thread for enabling traffic rules from the shell...

1 Like

The combination of on/off at will + on/off on a schedule is fine, but requires a bit of additional clarity to determine the default state.

  • You can make a default state that blocks internet access. If you do this, your time based rule would be except when explicitly allowed by a rule. In that case, the rule would be structured to allow access during the allowed time (so 0800-2100, as an example). If you disable this rule during the day, it will disable internet access. If you leave it disabled, internet is always off.
  • You can do the reverse, where the rule blocks access that is default enabled. In this case, if you disable the rule, it enables internet 24/7.

Deciding the default state should be the first step and then build the rules accordingly.

1 Like

Thanks @OldNavyGuy
I should be able to enable the rules en-mass and then reload/commit them, correct?

@psherman I want to enable the rule (which blocks access) unless its manually disabled, then re-enable the rule at bed time (the rules block particular devices from getting online, they are only allowed online after chores/schoolwork are done and this way it will block them unless we have enabled it for that day).

If I am reading that thread correctly, I should be able to do something like this to enable rules 1-6 every day at 22:00:
In the crontab file:
0 22 * * * /bin/sh /etc/config/blockdevices.sh

In /etc/config/blockdevices.sh

uci set firewall.@rule[0].enabled=1
uci set firewall.@rule[1].enabled=1
uci set firewall.@rule[2].enabled=1
uci set firewall.@rule[3].enabled=1
uci set firewall.@rule[4].enabled=1
uci set firewall.@rule[5].enabled=1
uci set firewall.@rule[6].enabled=1
uci set firewall.@rule[7].enabled=1
uci set firewall.@rule[8].enabled=1
uci set firewall.@rule[9].enabled=1
fw3 reload &>/dev/null
uci commit firewall

Thanks

Aaron Z

You don't need to use cron jobs if you are using a recent version of OpenWrt. I don't recall when it was added, but certain 21.02 has time based firewall rules.

Regarding your default state and rule -- consider the situation where you disable the rule and forget (or don't have a chance) to re-enable it.

That said, this is where cron jobs can be useful in that they can re-enable or re-disable the rule if you forget to do so.

I want the rule enabled 24x7 UNLESS we disable it for that day and then it should be re-enabled once 21:30 rolls around.
Otherwise we have repeatedly found certain young household residents awake and watching Youtube at 2:30AM because they "couldn't sleep"

Aaron Z

@aczlan - sorry in advance if I'm adding any confusion (or if I'm not understanding your desired situation). Chances are you already have the right idea of how to implement this (with cron jobs), but I'm just trying to think of options that might be easier to manage and/or more efficient to implement.

It seems like your default state is to not allow internet unless you specifically want to give them access -- so 24/7 block, except for when explicitly allowed by manual intervention. Then, at 2130, the internet should always be disabled and remain disabled until you explicitly enable it again. Am I understanding that correctly?

That is correct.
Cron jobs and scripts aren't a big deal, the piece I was missing was the uci commands and putting them into a script.

Aaron Z

Ok. Yup... Cron jobs and the syntax above should do the trick. Default allow vs default block are probably equivalent in your situation. I'm thinking I didn't really add anything but extra complexity in this discussion... lol. Sorry about that.

No problem, always good to make sure I have everything straight in my head.

@vgaetera thanks for the link, but I want the rule to always be on unless I manually turn it off, then turn back on automatically at a preset time. The time based rules built into the firewall LUCI pages would not work in my situation.

Aaron Z

Here is what I ended up with (note that the top rule in the list in LUCI is rule 0, not rule 1):

In the cron file:
0 22 * * * /bin/sh /etc/config/blockdevices.sh

In /etc/config/blockdevices.sh

uci set firewall.@rule[0].enabled=1
uci set firewall.@rule[1].enabled=1
uci set firewall.@rule[2].enabled=1
uci set firewall.@rule[3].enabled=1
uci set firewall.@rule[4].enabled=1
uci set firewall.@rule[5].enabled=1
uci set firewall.@rule[6].enabled=1
uci set firewall.@rule[7].enabled=1
uci set firewall.@rule[8].enabled=1
uci set firewall.@rule[9].enabled=1
fw3 reload &>/dev/null
uci commit firewall

Then I had to restart cron
'/etc/init.d/cron restart'

Hope that helps someone else down the road.

Aaron Z

for I in $(seq 0 9)
do uci -q delete firewall.@rule[${I}].enabled
done
uci commit firewall
/etc/init.d/firewall reload
1 Like

Thanks, that is far more elegant than my solution.

Aaron Z

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.