Temporary firewall rule (or nft entry?)

R00 · February 17, 2025, 3:01pm

I want to avoid a flash write/rewrite cycle. I also want the rule to only persist until the next reboot (or when I un-do the rule).

Is it possible to create a fw4 rule (or the equivalent nft rule) to say block a client device on your network from accessing the internet?

Consider a script will let me manually run this - cause all traffic from that device to immediately stop, including existing connections - then wait 30mins - and un-do the block. This will be very useful to say - block a teenager from gaming for 30mins 'on demand' vs. needing to reconfigure a firewall rule each time.

I know I can do this using uci.x rules and committing a firewall change - but this will persist the settings.

Is this a fools errand?

pavelgl · February 17, 2025, 4:50pm

There is a way to create and apply rules without writing them to flash, but since you want to immediately break all established connections, you'd better use the nft command-line tool. This will also allow you to apply the rule(s) without restarting/reloading the firewall service.

To block a device by MAC:

nft insert rule inet fw4 forward ether saddr 00:11:22:33:44:55 counter drop comment "MyRule"

By IP:

nft insert rule inet fw4 forward ip saddr 192.168.1.135 counter drop comment "MyRule"

To delete the rule:

rn=$(nft -a list chain inet fw4 forward | grep MyRule | awk '{print $NF}')
nft delete rule inet fw4 forward handle $rn

R00 · February 17, 2025, 6:47pm

I suspected nft was the right solution - and wow - you got this exactly right. Thank you. I've tagged your answer as the solution.

I'm wondering how different it would be to instead of blocking all traffic - slap a rate limit on it? Say not enough to reasonably stream youtube, or even browse the web at any speed - but enough to push messages from the machine?

nft appears to have better rate limiting capabilities than iptables - but this stuff is still magic for me.

pavelgl · February 17, 2025, 7:38pm

I can only help with the firewall rules. You will need to do some testing to find out what the right rate limit is, that suits your needs.

nft insert rule inet fw4 forward ip daddr 192.168.1.135 limit rate over 50 kbytes/second counter drop comment "Dl_Limit"
nft insert rule inet fw4 forward ip saddr 192.168.1.135 limit rate over 50 kbytes/second counter drop comment "Upl_Limit"

dl=$(nft -a list chain inet fw4 forward | grep Dl_Limit | awk '{print $NF}')
nft delete rule inet fw4 forward handle $dl
upl=$(nft -a list chain inet fw4 forward | grep Upl_Limit | awk '{print $NF}')
nft delete rule inet fw4 forward handle $upl

MAC-based rate limiting requires a table of the bridge family, which would be a bit more complicated.

R00 · February 17, 2025, 8:00pm

Thanks - even an IP based solution is work-able. This gives me a thread to pull on to learn more about nft - much appreciated.

system · February 27, 2025, 8:01pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.