Firewall Starttime & Stoptime not working in 1.4-rc3?

anowak · February 1, 2024, 11:06pm

Hi All,

I can’t seem to get time based firewall rules working correctly?

In version 1.3 and earlier it used UTC time, and I believed it was changed to work off the local time. But running tests I have no idea what it is using as it just doesn’t work correctly?

Here is my rule.

set firewall ipv4 name LAN-WAN rule 265 action 'accept'
set firewall ipv4 name LAN-WAN rule 265 description 'Allow WEB from 6:30AM - 10:00PM'
set firewall ipv4 name LAN-WAN rule 265 destination group port-group 'PG_WEB'
set firewall ipv4 name LAN-WAN rule 265 log
set firewall ipv4 name LAN-WAN rule 265 protocol 'tcp_udp'
set firewall ipv4 name LAN-WAN rule 265 source group address-group 'AG_LAN_TIMEGROUP'
set firewall ipv4 name LAN-WAN rule 265 state 'new'
set firewall ipv4 name LAN-WAN rule 265 time starttime '06:30:00'
set firewall ipv4 name LAN-WAN rule 265 time stoptime '22:00:00'

The time is

Fri Feb  2 09:51:10 AM AEDT 2024

And within the logs it is hitting the default deny rule.

Feb 02 09:51:14 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=23.206.199.226 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30857 DF PROTO=TCP SPT=62125 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 09:51:22 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=23.206.199.226 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=30858 DF PROTO=TCP SPT=62125 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 09:51:28 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=23.206.199.224 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=50219 DF PROTO=TCP SPT=62126 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 09:51:29 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=23.206.199.224 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=50220 DF PROTO=TCP SPT=62126 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 09:51:31 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=23.206.199.224 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=50221 DF PROTO=TCP SPT=62126 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

If I try test using a small time interval it seems to work??

set firewall ipv4 name LAN-WAN rule 265 action 'accept'
set firewall ipv4 name LAN-WAN rule 265 description 'Allow WEB from 9:58AM-10:30AM'
set firewall ipv4 name LAN-WAN rule 265 destination group port-group 'PG_WEB'
set firewall ipv4 name LAN-WAN rule 265 log
set firewall ipv4 name LAN-WAN rule 265 protocol 'tcp_udp'
set firewall ipv4 name LAN-WAN rule 265 source group address-group 'AG_LAN_TIMEGROUP'
set firewall ipv4 name LAN-WAN rule 265 state 'new'
set firewall ipv4 name LAN-WAN rule 265 time starttime '09:58:00'
set firewall ipv4 name LAN-WAN rule 265 time stoptime '10:30:00'

Feb 02 10:02:01 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=52593 DF PROTO=TCP SPT=37212 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 10:02:01 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=28869 DF PROTO=TCP SPT=37214 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 10:02:02 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32091 DF PROTO=TCP SPT=37220 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 10:02:03 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=9064 DF PROTO=TCP SPT=37228 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 10:02:06 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=15131 DF PROTO=TCP SPT=37238 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 10:02:08 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=151.101.30.132 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=23505 DF PROTO=TCP SPT=37248 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

Anyone seen this?

anowak · February 1, 2024, 11:52pm

Also if I try running UTC time it also does not work?

run show firewall ipv4 name LAN-WAN rule 265
Rule Information

---------------------------------
ipv4 Firewall "name LAN-WAN"

  Rule  Action    Protocol      Packets    Bytes  Conditions
------  --------  ----------  ---------  -------  ----------------------------------------------------------------------------------------------------------------------------------------------------------------------
   265  accept    tcp_udp             0        0  ct state new meta l4proto { tcp, udp } th dport @P_PG_WEB ip saddr @A_AG_LAN_TIMEGROUP meta hour >= "19:30" meta hour < "11:30"  prefix "[ipv4-NAM-LAN-WAN-265-A]"  accept

n.fort · February 2, 2024, 10:10am

I’m doing some tests and so far wasn’t able to reproduce error:
Using big interval:

## Config
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 destination port '22'
set firewall ipv4 input filter rule 10 log
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 time starttime '00:00:15'
set firewall ipv4 input filter rule 10 time stoptime '22:00:00'

## Rule in nftables:
tcp dport 22 meta hour >= "00:00:15" meta hour < "22:00" log prefix "[ipv4-INP-filter-10-A]" counter packets 35 bytes 5829 accept comment "ipv4-INP-filter-10"

## Log
Feb 02 10:02:52 vyos kernel: [ipv4-INP-filter-10-A]IN=eth0 OUT= MAC=50:00:00:03:00:00:4c:5e:0c:19:0b:62:08:00 SRC=192.168.77.39 DST=192.168.0.182 LEN=112 TOS=0x10 PREC=0x00 TTL=62 ID=61551 DF PROTO=TCP SPT=56960 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Feb 02 10:02:52 vyos kernel: [ipv4-INP-filter-10-A]IN=eth0 OUT= MAC=50:00:00:03:00:00:4c:5e:0c:19:0b:62:08:00 SRC=192.168.77.39 DST=192.168.0.182 LEN=52 TOS=0x10 PREC=0x00 TTL=62 ID=61552 DF PROTO=TCP SPT=56960 DPT=22 WINDOW=501 RES=0x00 ACK FIN URGP=0

Using smaller intervals:

## Config
set firewall ipv4 input filter rule 10 time starttime '10:05:00'
set firewall ipv4 input filter rule 10 time stoptime '10:15:00'

## Rule in nftables:
tcp dport 22 meta hour >= "10:05" meta hour < "10:15" log prefix "[ipv4-INP-filter-10-A]" counter packets 11 bytes 2953 accept comment "ipv4-INP-filter-10"

## Date
vyos@vyos# date
Fri Feb  2 10:08:08 AM UTC 2024
[edit]
vyos@vyos# 

## And log:
Feb 02 10:07:28 vyos kernel: [ipv4-INP-filter-10-A]IN=eth0 OUT= MAC=50:00:00:03:00:00:4c:5e:0c:19:0b:62:08:00 SRC=192.168.77.39 DST=192.168.0.182 LEN=680 TOS=0x10 PREC=0x00 TTL=62 ID=10406 DF PROTO=TCP SPT=48012 DPT=22 WINDOW=501 RES=0x00 ACK PSH URGP=0 
Feb 02 10:07:28 vyos kernel: [ipv4-INP-filter-10-A]IN=eth0 OUT= MAC=50:00:00:03:00:00:4c:5e:0c:19:0b:62:08:00 SRC=192.168.77.39 DST=192.168.0.182 LEN=52 TOS=0x10 PREC=0x00 TTL=62 ID=10407 DF PROTO=TCP SPT=48012 DPT=22 WINDOW=501 RES=0x00 ACK URGP=0

Let me continue with tests, when not using UTC

n.fort · February 2, 2024, 11:04am

Error found: ⚓ T6009 Firewall - Time not working properly when not using UTC

anowak · February 2, 2024, 11:18am

Hi Nicolas,
Thanks for taking a look as this is a weird one. I have spent too many hours trying to work out why it doesn’t work.

Here is an example I took earlier today whilst testing.

I started off with the rule

set firewall ipv4 name LAN-WAN rule 265 action 'accept'
set firewall ipv4 name LAN-WAN rule 265 description 'Allow WEB JAKOB LAN-WAN'
set firewall ipv4 name LAN-WAN rule 265 destination group port-group 'PG_WEB'
set firewall ipv4 name LAN-WAN rule 265 log
set firewall ipv4 name LAN-WAN rule 265 protocol 'tcp_udp'
set firewall ipv4 name LAN-WAN rule 265 source group address-group 'AG_LAN_TIMEGROUP'
set firewall ipv4 name LAN-WAN rule 265 state 'new'

Check the logs - all is as expected.

Feb 02 14:39:32 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=104.21.83.41 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=41036 DF PROTO=TCP SPT=55718 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:39:32 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=104.237.62.212 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=22367 DF PROTO=TCP SPT=39670 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:39:32 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=104.237.62.212 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=16778 DF PROTO=TCP SPT=39678 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:39:32 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=104.21.83.41 LEN=1278 TOS=0x00 PREC=0x00 TTL=63 ID=31994 DF PROTO=UDP SPT=43132 DPT=443 LEN=1258
Feb 02 14:39:33 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=172.64.149.23 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38804 DF PROTO=TCP SPT=44838 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:39:33 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=172.64.149.23 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=27416 DF PROTO=TCP SPT=44852 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:39:33 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=103.101.129.194 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35640 DF PROTO=TCP SPT=51580 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:40:30 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.251.221.74 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=56283 DF PROTO=TCP SPT=50308 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

I then add the rules which should theoretically work without blocking anything, as it’s 2:40PM

set firewall ipv4 name LAN-WAN rule 265 time starttime 06:30:00
set firewall ipv4 name LAN-WAN rule 265 time stoptime 22:30:00

Straight away it starts blocking the traffic?

Feb 02 14:48:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=60767 DF PROTO=TCP SPT=39980 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:48:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=20.43.109.14 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=1250 DF PROTO=TCP SPT=44460 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:48:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46502 DF PROTO=TCP SPT=39992 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:48:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=20.43.109.14 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=14305 DF PROTO=TCP SPT=44462 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:48:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57041 DF PROTO=TCP SPT=39994 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

I then go and shrink the time to 2:45PM till 3:00PM and it starts to work again.

set firewall ipv4 name LAN-WAN rule 265 time starttime 14:52:00
set firewall ipv4 name LAN-WAN rule 265 time starttime 15:00:00

The logs show it is working as expected. I have no idea why it is doing this?

Feb 02 14:51:56 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=104.20.151.16 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=38627 DF PROTO=TCP SPT=41922 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:51:57 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25179 DF PROTO=TCP SPT=57264 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:51:58 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25180 DF PROTO=TCP SPT=57264 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:52:00 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=270 DF PROTO=TCP SPT=40374 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:52:00 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=25181 DF PROTO=TCP SPT=57264 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:52:00 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=152.195.38.76 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46366 DF PROTO=TCP SPT=51972 DPT=80 WINDOW=64240 R
...
....
.....
Feb 02 14:58:02 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=16504 DF PROTO=TCP SPT=40484 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:58:02 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54384 DF PROTO=TCP SPT=40496 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:58:13 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=63549 DF PROTO=TCP SPT=54532 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:58:27 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.142 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=32339 DF PROTO=TCP SPT=36176 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 14:58:30 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=37.0.81.241 LEN=1278 TOS=0x00 PREC=0x00 TTL=63 ID=40766 DF PROTO=UDP SPT=41871 DPT=443 LEN=1258
Feb 02 14:59:34 box kernel: [ipv4-NAM-LAN-WAN-265-A]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.142 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57166 DF PROTO=TCP SPT=48956 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 15:00:05 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.226 LEN=1278 TOS=0x00 PREC=0x00 TTL=63 ID=30413 DF PROTO=UDP SPT=41598 DPT=443 LEN=1258
Feb 02 15:00:05 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.226 LEN=1278 TOS=0x00 PREC=0x00 TTL=63 ID=30414 DF PROTO=UDP SPT=41598 DPT=443 LEN=1258
Feb 02 15:00:05 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.226 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=43394 DF PROTO=TCP SPT=48010 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0
Feb 02 15:00:05 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.226 LEN=1278 TOS=0x00 PREC=0x00 TTL=63 ID=30415 DF PROTO=UDP SPT=41598 DPT=443 LEN=1258
Feb 02 15:00:06 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=eth0 MAC=2c:f3:5d:d6:b3:8b:8c:8d:28:e5:44:b7:08:00 SRC=192.168.100.62 DST=142.250.70.226 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=35012 DF PROTO=TCP SPT=48020 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

I can see the configuration is there when I run sudo nft list ruleset
There are no other rules blocking it.

chain NAME_LAN-WAN {
....
....
ct state new meta l4proto { tcp, udp } th dport @P_PG_WEB ip saddr @A_AG_LAN_TIMEGROUP meta hour >= "06:30" meta hour < "22:30" log prefix "[ipv4-NAM-LAN-WAN-265-A]" counter packets 0 bytes 0 accept comment "ipv4-NAM-LAN-WAN-265"
...
}

Version:          VyOS 1.4.0-rc3
Release train:    sagitta

Built by:         Sentrium S.L.
Built on:         Thu 18 Jan 2024 19:21 UTC
Build UUID:       8603fe3e-29bd-4669-9427-cc07110bd272
Build commit ID:  651ff15892ade4

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  OEM
Hardware model:   Default string
Hardware S/N:     1234567890
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors

: A29FC87B (time.cloudflare.com)
Stratum         : 4
Ref time (UTC)  : Fri Feb 02 10:54:23 2024
System time     : 0.000059460 seconds fast of NTP time
Last offset     : +0.000190837 seconds
RMS offset      : 0.000416427 seconds
Frequency       : 20.839 ppm fast
Residual freq   : +0.005 ppm
Skew            : 0.314 ppm
Root delay      : 0.010854744 seconds
Root dispersion : 0.002697953 seconds
Update interval : 1027.1 seconds
Leap status     : Normal

I tried using UTC time but that doesn’t work even for the compressed time test.

Above my 2PM is 3AM UTC and that just did not allow traffic full stop.

So I am using zone based firewall rules with global policy rules

set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy invalid log
set firewall global-options state-policy related action 'accept'

There is nothing special in my configuration… all pretty stock standard.

I’ve run out of places where to look for troubleshooting this.

Kind Regards

anowak · February 2, 2024, 11:59am

Hi Nicolas,

Ah didn’t see your post come in before sending another.
So will starttime and stoptime need to be UTC or local time. Hoping it can take local time (ADST) because UTC ignores daylight savings and doing initial tests I thought it had been fixed since version 1.3.

Kind Regards

anowak · February 12, 2024, 9:33pm

Hi Nicolas,

I noticed there has been some work done on ⚓ T6009 Firewall - Time not working properly when not using UTC, although fix seems to be titled " fix hour decoding when timezone offset is negative"

I am seeing issues with a positive time zone. Not sure if this will fix my time issue?

# date
Tue Feb 13 08:21:14 AM AEDT 2024

show config comm | grep zone
set system time-zone 'Australia/Victoria'

On top of that, I’m not seeing time written incorrectly into the config files.

# cat /run/nftables.conf

chain NAME_LAN-WAN {
   ...
   ct state {new} meta l4proto  {tcp, udp} ip saddr  @A_AG_LAN_TIMEGROUP hour >= "06:00:00" hour < "22:00:00" log prefix "[ipv4-NAM-LAN-WAN-260-A]" counter accept comment "ipv4-NAM-LAN-WAN-260"
   ...
   counter log prefix "[ipv4-LAN-WAN-default-D]" drop comment "LAN-WAN default-action drop"
}

# sudo nft -s list chain vyos_filter NAME_LAN-WAN

table ip vyos_filter {
   chain NAME_LAN-WAN {
      ct state new meta l4proto { tcp, udp } ip saddr @A_AG_LAN_TIMEGROUP meta hour >= "06:00" meta hour < "22:00" log prefix "[ipv4-NAM-LAN-WAN-260-A]" counter accept comment "ipv4-NAM-LAN-WAN-260"
      counter log prefix "[ipv4-LAN-WAN-default-D]" drop comment "LAN-WAN default-action drop"
   }
}

n.fort · February 21, 2024, 8:09am

Could you check once again if now it’s working as expected?

anowak · February 21, 2024, 8:56am

Hi Nicholas,

With the current 1.4rc3 version or a rolling update?

Regards

n.fort · February 21, 2024, 9:43am

1.4.0-rc3 was built the 18th of January.
This patch was introduced on February.
So we need to check with a rolling update.
A self built 1.4 or latest 1.5 available in nightly-builds

tomcat667 · February 21, 2024, 12:33pm

Hi, thx for this hint,
the changelog for 1.4 and 1.5 was also updatet 4 weeks ago
when will there be another update

anowak · February 21, 2024, 10:55pm

Hi Nicholas,

Sorry, it was the way I read your question as I hadn’t updated it yet.

Built a new image last night, and still not working as I would expect.

# run show version
Version:          VyOS 1.4-rolling-202402211059
Release train:    sagitta

Built by:         me
Built on:         Wed 21 Feb 2024 10:59 UTC
Build UUID:       40445400-82e6-4650-8ea2-6e5972e4dfda
Build commit ID:  bcac2eb1f9b49c

Architecture:     x86_64
Boot via:         installed image
System type:      bare metal

Hardware vendor:  OEM
Hardware model:   Default string
Hardware S/N:     1234567890
Hardware UUID:    03000200-0400-0500-0006-000700080009

Copyright:        VyOS maintainers and contributors

My time settings

# run show conf comm | grep system
set system time-zone 'Australia/Sydney'

# date
Thu Feb 22 09:29:17 AM AEDT 2024
[edit]

First LAN-WAN rule, kept it simple for ICMP only

set firewall ipv4 name LAN-WAN rule 100 action 'accept'
set firewall ipv4 name LAN-WAN rule 100 description 'Allow ICMP LAN-WAN'
set firewall ipv4 name LAN-WAN rule 100 icmp type-name 'echo-request'
set firewall ipv4 name LAN-WAN rule 100 log
set firewall ipv4 name LAN-WAN rule 100 protocol 'icmp'
set firewall ipv4 name LAN-WAN rule 100 source address '192.168.100.99'
set firewall ipv4 name LAN-WAN rule 100 state 'new'
set firewall ipv4 name LAN-WAN rule 100 time starttime '06:00:00'
set firewall ipv4 name LAN-WAN rule 100 time stoptime '21:00:00'

And still blocking

Feb 22 09:26:32 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=22727 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=6
Feb 22 09:26:33 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=22983 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=7
Feb 22 09:26:34 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23005 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=8
Feb 22 09:26:35 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23150 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=9
Feb 22 09:26:36 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23343 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=10
Feb 22 09:26:37 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=23474 DF PROTO=ICMP TYPE=8 CODE=0 ID=7446 SEQ=11

Looks like configurations are correct.

# cat /run/nftables.conf
chain NAME_LAN-WAN {
    ct state {new} meta l4proto  icmp ip saddr 192.168.100.99 icmp type echo-request hour >= "06:00:00" hour < "21:00:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
    ...
}

# sudo nft -s list chain vyos_filter NAME_LAN-WAN
table ip vyos_filter {
        chain NAME_LAN-WAN {
                ct state new ip saddr 192.168.100.99 icmp type echo-request meta hour >= "06:00" meta hour < "21:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
                ...
}

I then adjust the configuration

set firewall ipv4 name LAN-WAN rule 100 time starttime '09:00:00'
set firewall ipv4 name LAN-WAN rule 100 time stoptime '10:00:00'
commit

And it starts to work.

Feb 22 09:40:05 box kernel: [ipv4-NAM-LAN-WAN-100-A]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=59534 DF PROTO=ICMP TYPE=8 CODE=0 ID=33314 SEQ=1
Feb 22 09:40:14 box kernel: [ipv4-NAM-LAN-WAN-100-A]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60860 DF PROTO=ICMP TYPE=8 CODE=0 ID=45689 SEQ=1
Feb 22 09:40:15 box kernel: [ipv4-NAM-LAN-WAN-100-A]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=60975 DF PROTO=ICMP TYPE=8 CODE=0 ID=15205 SEQ=1

This is the first rule in the list

# cat /run/nftables.conf
 chain NAME_LAN-WAN {
   ct state {new} meta l4proto  icmp ip saddr 192.168.100.99 icmp type echo-request hour >= "09:00:00" hour < "10:00:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
   ...
 }

# sudo nft -s list chain vyos_filter NAME_LAN-WAN

table ip vyos_filter {
        chain NAME_LAN-WAN {
                ct state new ip saddr 192.168.100.99 icmp type echo-request meta hour >= "09:00" meta hour < "10:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
                ...
        }
}

Weird right…

anowak · February 21, 2024, 11:14pm

Hi Nicholas,

FYI, I built VyOS from source as the DockerHub image was 6 weeks old.

Kind Regards

n.fort · February 22, 2024, 2:40pm

Yes, sounds weird.
But at least now we know that rules are parsed and written correctly to nftables.
It sound like a bug in nftables.
At least at first sight, I see no bug reported in netfilter bugzilla

anowak · February 22, 2024, 10:18pm

Thanks, as I see you filed a bug report netfilter Bug 1737,

To which, the response was:

1.0.9 is lacking this fix, which is already in git HEAD.

Looking at the bug report, it mentions negative offset. I’m having issues with a positive offset.

VyOS 1.4 is running the latest version of nftables.

# sudo apt info nftables
Package: nftables
Version: 1.0.9-1

anowak · February 23, 2024, 4:16am

Just as a test, I decided to switch my timezone from “Australia/Sydney” to UTC

# run show conf comm | grep time-zone
set system time-zone 'UTC'

# date
Fri Feb 23 04:04:09 AM UTC 2024

Modified my rule so that I have the same time in UTC (6AM - 9PM)

# From

set firewall ipv4 name LAN-WAN rule 100 time starttime '06:00:00'
set firewall ipv4 name LAN-WAN rule 100 time stoptime '21:00:00'

# To

set firewall ipv4 name LAN-WAN rule 100 time starttime '19:00:00'
set firewall ipv4 name LAN-WAN rule 100 time stoptime '10:00:00'

commit

No go… still blocking?

Feb 23 04:00:07 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=2c:f0:5d:d6:b3:cb:00:0c:29:a6:ca:57:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52208 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=252
Feb 23 04:00:08 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52210 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=253
Feb 23 04:00:09 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52262 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=254
Feb 23 04:00:10 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52308 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=255
Feb 23 04:00:11 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52369 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=256
Feb 23 04:00:12 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52463 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=257
Feb 23 04:00:13 box kernel: [ipv4-LAN-WAN-default-D]IN=eth1 OUT=pppoe1 MAC=9a:71:c5:e7:0f:f6:8c:ee:32:ca:5f:b9:08:00 SRC=192.168.100.99 DST=142.250.71.78 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=52646 DF PROTO=ICMP TYPE=8 CODE=0 ID=30663 SEQ=258

I am sure this used to work in 1.3 100%, I’m not tripping?

# /run/nftables.conf
chain NAME_LAN-WAN {
    ct state {new} meta l4proto  icmp ip saddr 192.168.100.99 icmp type echo-request hour >= "19:00:00" hour < "10:00:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
    ...
}

# sudo nft -s list chain vyos_filter NAME_LAN-WAN
table ip vyos_filter {
    chain NAME_LAN-WAN {
        ct state new ip saddr 192.168.100.99 icmp type echo-request meta hour >= "19:00" meta hour < "10:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
        ..
    }
}

anowak · February 23, 2024, 4:26am

It works if I do

set firewall ipv4 name LAN-WAN rule 100 time starttime '01:00:00'
set firewall ipv4 name LAN-WAN rule 100 time stoptime '06:00:00'

# date
Fri Feb 23 04:25:34 AM UTC 2024

I-n-d-y · February 23, 2024, 8:56am

Hi, its just a guess but maybe the issue occurs when starttime is larger than stoptime in UTC? Have you tried to split your rule into two separate ones? E.g. rule 100 from 00:00 to 10:00 UTC and rule 200 from 19:00 to 24:00 UTC.

anowak · February 24, 2024, 2:42am

Hi I-n-d-y,

I read an article that mentions, that it will accept the inputs above, but struggling to find it now
This time range also worked fine in v1.3 - using iptables instead of nftables.

Regards

anowak · March 8, 2024, 6:11am

I installed a new Debian system and enabled nftables.

$ sudo systemctl enable nftables.service
$ sudo systemctl start nftables.service

$ sudo service nftables status
● nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
Active: active (exited) since Fri 2024-03-01 13:37:08 AEDT; 6 days ago
Docs: man:nft(8)
http://wiki.nftables.org
Main PID: 267 (code=exited, status=0/SUCCESS)
CPU: 26ms

$ date
Thu 07 Mar 2024 19:20:37 AEDT

I modified the /etc/nftables.conf and add a single line for ICMP

ip protocol icmp hour >= "06:00:00" hour < "21:00:00" log prefix "[TimeRule]" counter accept comment "Test Time Rule"

nftables.conf

table inet filter {
    chain input {
        type filter hook input priority filter;
               
        # Allow loopback (local connections)
        iifname lo accept
         
        # Allow established/related
        ct state established,related accept
         
        # Allow incoming pings
        #ip protocol icmp counter accept
        ip protocol icmp hour >= "06:00:00" hour < "21:00:00" log prefix "[TimeRule]" counter accept comment "Test Time Rule"
        # Drop everything else
        counter drop
         
    }
    
    chain forward {
        type filter hook forward priority filter;
    }

    chain output {
        type filter hook output priority filter;
    }
}

I ping from another host and system does not reply.

I change it to

ip protocol icmp hour >= "10:00:00" hour < "21:00:00" log prefix "[TimeRule]" counter accept comment "Test Time Rule"

Still nothing - no reply

Minimise the time interval even more and it starts to work?

ip protocol icmp hour >= "17:00:00" hour < "21:00:00" log prefix "[TimeRule]" counter accept comment "Test Time Rule"

I tried to find more information about how the time component and how it works without much luck.

So looks like it is specific to nftable meta hour…

Am I testing this correctly, as it clearly doesn’t work?

Regards