I have a handful of firewall rules that I would like to be automatically enabled at a certain time of day (to block devices from the internet at bedtime), but I would like for them to be manually tuned on/off at will, just at a certain time (22:00) the rules are enabled no matter what their current status is.
Is there a way to do that from a cron file?
I found some info in the wiki, but it appears to be completely creating the rule from scratch, I just want to set this rule to be enabled at 22:00 every day.
The combination of on/off at will + on/off on a schedule is fine, but requires a bit of additional clarity to determine the default state.
You can make a default state that blocks internet access. If you do this, your time based rule would be except when explicitly allowed by a rule. In that case, the rule would be structured to allow access during the allowed time (so 0800-2100, as an example). If you disable this rule during the day, it will disable internet access. If you leave it disabled, internet is always off.
You can do the reverse, where the rule blocks access that is default enabled. In this case, if you disable the rule, it enables internet 24/7.
Deciding the default state should be the first step and then build the rules accordingly.
Thanks @anon89577378
I should be able to enable the rules en-mass and then reload/commit them, correct?
@psherman I want to enable the rule (which blocks access) unless its manually disabled, then re-enable the rule at bed time (the rules block particular devices from getting online, they are only allowed online after chores/schoolwork are done and this way it will block them unless we have enabled it for that day).
If I am reading that thread correctly, I should be able to do something like this to enable rules 1-6 every day at 22:00:
In the crontab file: 0 22 * * * /bin/sh /etc/config/blockdevices.sh
In /etc/config/blockdevices.sh
uci set firewall.@rule[0].enabled=1
uci set firewall.@rule[1].enabled=1
uci set firewall.@rule[2].enabled=1
uci set firewall.@rule[3].enabled=1
uci set firewall.@rule[4].enabled=1
uci set firewall.@rule[5].enabled=1
uci set firewall.@rule[6].enabled=1
uci set firewall.@rule[7].enabled=1
uci set firewall.@rule[8].enabled=1
uci set firewall.@rule[9].enabled=1
fw3 reload &>/dev/null
uci commit firewall
You don't need to use cron jobs if you are using a recent version of OpenWrt. I don't recall when it was added, but certain 21.02 has time based firewall rules.
Regarding your default state and rule -- consider the situation where you disable the rule and forget (or don't have a chance) to re-enable it.
That said, this is where cron jobs can be useful in that they can re-enable or re-disable the rule if you forget to do so.
I want the rule enabled 24x7 UNLESS we disable it for that day and then it should be re-enabled once 21:30 rolls around.
Otherwise we have repeatedly found certain young household residents awake and watching Youtube at 2:30AM because they "couldn't sleep"
@aczlan - sorry in advance if I'm adding any confusion (or if I'm not understanding your desired situation). Chances are you already have the right idea of how to implement this (with cron jobs), but I'm just trying to think of options that might be easier to manage and/or more efficient to implement.
It seems like your default state is to not allow internet unless you specifically want to give them access -- so 24/7 block, except for when explicitly allowed by manual intervention. Then, at 2130, the internet should always be disabled and remain disabled until you explicitly enable it again. Am I understanding that correctly?
Ok. Yup... Cron jobs and the syntax above should do the trick. Default allow vs default block are probably equivalent in your situation. I'm thinking I didn't really add anything but extra complexity in this discussion... lol. Sorry about that.
No problem, always good to make sure I have everything straight in my head.
@vgaetera thanks for the link, but I want the rule to always be on unless I manually turn it off, then turn back on automatically at a preset time. The time based rules built into the firewall LUCI pages would not work in my situation.
Here is what I ended up with (note that the top rule in the list in LUCI is rule 0, not rule 1):
In the cron file: 0 22 * * * /bin/sh /etc/config/blockdevices.sh
In /etc/config/blockdevices.sh
uci set firewall.@rule[0].enabled=1
uci set firewall.@rule[1].enabled=1
uci set firewall.@rule[2].enabled=1
uci set firewall.@rule[3].enabled=1
uci set firewall.@rule[4].enabled=1
uci set firewall.@rule[5].enabled=1
uci set firewall.@rule[6].enabled=1
uci set firewall.@rule[7].enabled=1
uci set firewall.@rule[8].enabled=1
uci set firewall.@rule[9].enabled=1
fw3 reload &>/dev/null
uci commit firewall
Then I had to restart cron
'/etc/init.d/cron restart'