Time/Date based firewall rules do not work

keithspg · November 27, 2020, 5:42am

Sorry to open this again, but my other thread is closed and though I thought it was fixed, I am still struggling. I read through @facboy thread about time abased firewall rules. Apparently, he has found a typo in fw3 and made a patch. I do not know if it has been merged, yet. I see no mention of this bug in the bug tracker. Facboy, can you put this here?

When I was having problems, I did not see his thread and created another of my own:
ipv6-v4-firewall-traffic-rules
I was able to get a config that 'seemed to work' for at least once, but now no longer. Even after rebooting.
What I ended up doing, based on the thread advice, was to create a rule for each day with the 4 MAC addresses I want to block. This worked, maybe once, but never again.
I am running OpenWrt SNAPSHOT r14947+101-0f7a3288e1. I have the timezone set to local time. The Router reports the correct time and date. In each rule, I have tried setting the 'From Lan to Wan' and also the reverse. Each rule is set as reject. I cannot seem to get it to work.
An example rule is (I have one like this for each day):

config rule
        list src_mac 'XX:XX:XX:XX:XX:XX:'
        option start_time '00:00:00'
        option stop_time '07:00:00'
        option target 'REJECT'
        option extra '--weekdays Sat'
        option name 'Kids-Saturday'
        option src 'lan'
        option dest 'wan'

vgaetera · November 27, 2020, 5:55am

Make sure the rule works stably when you perform the following:

Comment out the options:
- weekdays
- extra
- src_mac
Set start_time a couple of minutes ahead of the output: date +%H:%M:%S
Restart the firewall service to apply changes: /etc/init.d/firewall restart
Run from any LAN client: ping example.org

facboy · November 27, 2020, 11:32am

i just raised this: https://bugs.openwrt.org/index.php?do=details&task_id=3478

keithspg · December 3, 2020, 12:51am

Well, I went through and changed all the rule names from 'Kids_Saturday' to 'Kids-Saturday' so the syntax (underscore to dash) matched the other rules and, viola, it worked. Been working every day since I posted this and changed that one thing. Sorry for the bandwidth, but this works. I have not looked to see if @facboy bug fix works for multiple days, but at least I have this working.

Thanks for the help!

poddmo · December 3, 2020, 5:52am

Those rule names sound familiar to me. My poor kids each have their own subnet so I can manage them individually or as a pack. My favourite rule and the only one I don't get nagged to change is 'kids must sleep' (space in a rule name seem to be ok). Since the time based rules can't cross days, that one is set 00:00:01 to 06:30:00. Other than that, the time-based rules have been working for us. It would be really nice to have a simpler interface to manage it with, even better if there was some self-service element so the kids can have flexibility to chose time and then can't seriously expect to get more.

system · December 13, 2020, 5:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.