Firewall Time feature - I can't get this to work..Need Help!

chappyca · August 29, 2018, 11:19pm

I Setup VYOS on a Virtaul box with the following configuration:

eth0 - DHCP - WAN
eth1 - 192.168.15.0/24 - LAN

I want to block 192.168.15.50 virtual machine at a specific time of day. The default will drop any connections going into LAN IN. I’m only allowing 192.168.15.50 to go through LAN IN at a specific time. Before entering the time command the rule will work. It will allow 192.168.15.15 to bypass the LAN in. So this rule is working.

I check the date on router:
date -> Wed Aug 29 19:13:26 EDT 2018

Here is my rule:
set firewall name block rule 10 action accept
set firewall name block rule 10 source address 192.168.15.50
set interfaces ethernet eth1 firewall in name block
Default action is to drop

At this point My device can ping google.ca and the web is working.

Next I will add the time:
set firewall name block rule 10 time starttime 19:20:00
set firewall name block rule 10 time stoptime 19:30:00
commit

I’m assuming at this point that the 192.168.15.50 should be blocked until 19:20:00 arrives.
date
Wed Aug 29 19:17:26 EDT 2018
192.168.15.50 can still ping and still has access to the internet. nothing is being blocked.
This is where I’m lost. Need help please.

omamenko · August 30, 2018, 9:44am

Hi,

Is rule-set applied to an interface?
Please, provide output # sh interfaces ethernet

Oleksandr Mamenko

chappyca · August 30, 2018, 2:14pm

HI, Yes it is applied to the IN on eth1. I will send you the output as soon I get home.

Also, I would like to note that the rule should be called UNBLOCK which would make it more clear.
Thanks

chappyca · August 30, 2018, 7:40pm

HI,

Here is the output requested:

vyos@vyos# sh interfaces ethernet
ethernet eth0 {
address dhcp
}
ethernet eth1 {
address 192.168.15.1/24
firewall {
in {
name block
}
}
hw-id 08:00:27:bc:04:68
}
[edit]

omamenko · August 31, 2018, 8:36am

Hi,

First of all, you need to use UTC time in firewall rules.
Try to enable logging in your rule
set firewall name block enable-default-log
set firewall name block rule 10 log enable
commit
exit
Generate traffic and check logs
sh log firewall name block

chappyca · September 1, 2018, 1:29pm

HI,
Thanks for your quick response.
I checked the UTC time on my VYOS router and adjusted the time rule to match the UTC time. That seems to have resolved the issue. This allows the PC access to the internet at the correct time and disconnects it at the correct time. Awesome!!

Can the firewall only use UTC?
Thanks again

syncer · September 1, 2018, 5:15pm

I think is good candidate for feature request
maybe this should be inline with system timezone settings

omamenko · September 3, 2018, 8:47am