Are time controll firewall rules not implemented in the newer fw4 builds?
I run the established connections rules to re order my rules and it throws an exit code saying something about legacy tables present.
That script snippet to the end of the page issues low level iptables calls, it will not work with nftables based fw4.
Ok thanks, if the script were altered for nftables support would this fix my time control firewall rules ?
It's that I read on the forum not all features of fw3 are implemented in fw4 and as time control is not working for me I guessed this is my reason.
Please try the following workaround. It should do the job with minimal intervention.
cat << "EOF" >> /etc/nftables.d/20-time-based-rules.nft
chain time_rule_fix {
type filter hook forward priority -1
iifname "br-lan" jump forward_lan
}
EOF
fw4 restart
I tried this but it did not work it suggests the forward_lan part is incorect.
chain time_rule_fix {
type filter hook forward priority -1
iifname "br-Kids-lan" jump forward_lan
Seeing there is a separate interface for the kids, I assume there is also a separate firewall zone.
iifname "br-Kids-lan" counter jump forward_<kids_zonename>
The counter is added to be able to check if the rule actually works.
Ok I see this should suit then:
chain time_rule_fix {
type filter hook forward priority -1
iifname "br-Kids-lan" jump forward_KIDS_ZONE
Would I have to do this for each lan segment eg :?
chain time_rule_fix {
type filter hook forward priority -1
iifname "br-Adults-lan" jump forward_ADULTS_ZONE
It seems like this should be built into the system it seems silly to have time control functions built into luci and they don't work with out reordering the rules or with out the fix you provided.
chain time_rule_fix {
type filter hook forward priority -1
iifname "iface1" counter jump forward_zone1
iifname "iface2" counter jump forward_zone2
iifname "iface3" counter jump forward_zone3
}
This is what i have used:
chain time_rule_fix {
type filter hook forward priority -1
iifname "br-Adults_Lan" counter jump forward_Adults_Zone
iifname "br-Kids_Lan" counter jump forward_Kids_Zone
}
This is my rule but sadly is is still not working, the same rule worked with fw3 without issue:
Source wan destination kids?!
FYI the time based rules work fine with fw4.
This custom rule is intended to fix only the minor issue with already established connections just like the reordering script when fw3/iptables were used.
The rule is designed to cut the internet off to the kids but still allow them to use the printer and local server, more designed to cut off youtube and snapchat at bed time and during home work time.
I cant get time based rules to work.
Between the reject times the internet still operates.
The correct way is to create permissive rules always giving the kids access to the printer and server and then block the traffic from the kids zone to the wan zone, not the other way around.
It might have worked somehow with iptables, but it's wrong.
Ok noted I will swap the rule source and destination over but it should work either way, if I can configure it then it should work or some sort of error should ensue when creating the rule.
If I remove the time component of the rule and make it static it blocks incomming traffic to the kids zone.
The reason for doing it this way as it updates google family with the status of the device with a dial home beacon peridocally.
Switching the source and destination over made the time control rule work thanks for your help
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.