PF We wish to have time-based rule feature in future

[TomHsiung]

Hello, sir or madam

First, I love FreeBSD very much, and I am using it on my machines. The PF is a powerful tool to manage traffic. However, I want some time-based control policies, but I am not sure if PF supports this feature. I tried some codes suggested by chatGPT but all were 'syntax errors'. Therefore, I wish if future PF could add a feature to support the time-based rules on FreeBSD. I appreciate your work on FreeBSD and PF and have a good holiday soon.

Tom

 

[SirDice]

How do you imagine time-based rules would work? What exactly needs to be time-based? A very simply solution would be to create an anchor and add/remove rules with a basic cron job.

 

[TomHsiung]

Hello, Sir Dice. Thank you very much for the feedback. I know little about the anchor and cron job technique. On my Ubuntu server, I can set up such rules by iptables. So that I don't need a dynamic rule configuration by cron job. I wish PF of FreeBSD could support this nice feature in future.

For instance, I intend to block the traffic between 1:00am to 3:00am every day.

 

[SirDice]

For instance, I intend to block the traffic between 1:00am to 3:00am every day.

Ok, that seems simple enough.

pf.conf

ext_if="em0"

anchor "timerules" on $ext_if

Cronjob (edit it with crontab -e):

#minute hour   mday   month   wday   command
 0      1       *     *        *     echo "block all quick" | pfctl -a timerules -f - 
 0      3       *     *        *     pfctl -a timerules -Fall

Untested, but you get the idea.

 

[cracauer@]

On my Ubuntu server, I can set up such rules by iptables. So that I don't need a dynamic rule configuration by cron job. I wish PF of FreeBSD could support this nice feature in future.

Can you give example of iptable commands that do exactly what you want?

 

[Eric A. Borisch]

Can you give example of iptable commands that do exactly what you want?

Likely one of these:

iptables RULE -m time --timestart TIME --timestop TIME --days DAYS -j ACTION

Put into a rule chain, diverts to a different chain / action during the specified window.

Does look handy, but the cron-based approach above should do the trick.

 

[TomHsiung]

The line in Ubuntu that set a time-based rule is:

iptables -t mangle -I PREROUTING 2 -i eno1 -p tcp -s 192.168.0.3 -d 0.0.0.0/0 -m multiport --dport 80,443,8000,8080 -m state --state NEW,ESTABLISHED -m time --timestart 1:00 --timestop 3:00 --weekdays Mon,Tue,Wed,Thu,Fri,Sat,Sun -j DROP

 

[tOsYZYny]

Yes, I used to use that in iptables (now nftables).

I asked a similar question a while back and SirDice answered correctly. I've taken it a step further and put specific rules into an anchor and then I flush those rules and states for the anchor:

0 6 * * * /usr/local/bin/_pfctl -a e_04_google-voice -f /firewall/anchor/.data/e.04.google-voice 2>&1
59 23 * * * /usr/local/bin/_pfctl -a e_04_google-voice -F all > /dev/null 2>&1
59 23 * * * /usr/local/bin/_pfctl -a e_04_google-voice -F states > /dev/null 2>&1

This is for Google Voice, I have other rules that disable video games for instance much earlier and allow it much later. I changed the path to my rules as it reveals some proprietary information, but you get the idea.

I found that I must clear the states otherwise traffic was still being passed.