Firewall Starttime & Stoptime not working in 1.4-rc3?

n.fort · March 8, 2024, 10:25am

Could you please add such detailes to netfilter bug?
https://bugzilla.netfilter.org/show_bug.cgi?id=1737

anowak · March 8, 2024, 10:41am

Funny you should ask, because I tried creating an account which is only available via email. Still waiting. I also included what I posted here in that email.

Cheers

anowak · April 3, 2024, 9:56pm

Hi,

In case you’re using time based firewall rules. I am currently working around this issue by using scripts and schedules. Not pretty but works for now. Can also modify script to make it more generic to accept the rule number.

Create script file:
/config/scripts/enablefw.sh

#!/bin/vbash

VALUE=$1

source /opt/vyatta/etc/functions/script-template

if [ "$VALUE" = "enable" ]; then

  configure

  delete firewall ipv4 name LAN-WAN rule 260 disable
  delete firewall ipv4 name LAN-WAN rule 270 disable
  delete firewall ipv4 name LAN-WAN rule 271 disable
  commit
  exit

elif [ "$VALUE" = "disable" ]; then

  configure

  set firewall ipv4 name LAN-WAN rule 260 disable
  set firewall ipv4 name LAN-WAN rule 270 disable
  set firewall ipv4 name LAN-WAN rule 271 disable

  commit
  exit

fi

Then I created some schedules to interact with the script

set system task-scheduler task disable_timed_rule crontab-spec '30 22 * * SUN'
set system task-scheduler task disable_timed_rule executable arguments 'disable'
set system task-scheduler task disable_timed_rule executable path '/config/scripts/enablefw.sh'
set system task-scheduler task enable_timed_rule crontab-spec '30 16 * * FRI'
set system task-scheduler task enable_timed_rule executable arguments 'enable'
set system task-scheduler task enable_timed_rule executable path '/config/scripts/enablefw.sh'

anowak · July 17, 2024, 10:50pm

Hi n.fort:

Curious to know what the chances or process of getting this implemented?
https://bugzilla.netfilter.org/show_bug.cgi?id=1737](https://bugzilla.netfilter.org/show_bug.cgi?id=1737)

Seems they’ve created a patch:
https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240319192609.218891-1-pablo@netfilter.org/

I also noticed they are using a range command which is not used within VyOS.

e.g.

 chain NAME_LAN-WAN {
   ct state {new} meta l4proto  icmp ip saddr 192.168.100.99 icmp type echo-request hour "09:00:00"-"10:00:00" log prefix "[ipv4-NAM-LAN-WAN-100-A]" counter accept comment "ipv4-NAM-LAN-WAN-100"
   ...
 }

Kind Regards

n.fort · July 18, 2024, 11:12am

I’ll give it a look! Thanks for letting us know about the patch