VyOS handles Day Light Saving

anowak · October 2, 2021, 11:05pm

Hi,

I am using starttime and stoptime for some of my rules. Currently I can only get these rules to work when the rule uses UTC times. I was wondering how this is effected by daylight saving time that just kicked in.

set firewall name INSIDE-OUTSIDE rule 550 description ‘Allow Web Ports 8:30AM-8:30PM’
set firewall name INSIDE-OUTSIDE rule 550 time starttime ‘21:30:00’
set firewall name INSIDE-OUTSIDE rule 550 time stoptime ‘20:30:00’

I’ve had to go and change all the rules. Is there anyway to get around this without setting Vyos to use UTC and ADST instead?

Kind Regards

blackhole · October 4, 2021, 2:10am

VyOS keeps time just fine and this should be not a problem at all.
Make sure your time is set and confirm the time matches (Hi from VIC)

mario@vyos007:~$ show configuration commands | grep ntp
set system ntp listen-address '192.168.67.252'
set system ntp server 192.168.67.241
set system ntp server 192.168.67.242

mario@vyos007:~$ show configuration commands | grep time-zone
set system time-zone 'Australia/Melbourne'

mario@vyos007:~$ date
Mon 04 Oct 2021 01:03:56 PM AEDT

also

mario@vyos007:~$ timedatectl
               Local time: Mon 2021-10-04 13:08:03 AEDT
           Universal time: Mon 2021-10-04 02:08:03 UTC
                 RTC time: Mon 2021-10-04 02:08:03
                Time zone: Australia/Melbourne (AEDT, +1100)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

and

mario@vyos007:~$ show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.67.241  203.57.115.181   3 u  598 1024  377    0.270   -6.007   3.927
+192.168.67.242  192.168.67.241   4 u  172 1024  377    0.397   -2.044   2.564

Use the above and show ntp info to confirm NTP is syncing up fine etc

anowak · October 4, 2021, 4:11am

Hi Blackhole,

Awesome!
I was going off this post, believing it was only possible to use UTC time.
Firewall Time feature - I can't get this to work..Need Help! - #4 by chappyca - omamenko

Regards

anowak · October 4, 2021, 5:58am

Hi Blackhole,

Note: running 1.3RC6

No luck with using normal time rule to block and unblock traffic.

firewall@box:~$ show configuration commands | grep ntp
set system ntp allow-clients address ‘192.168.1.0/24’
set system ntp allow-clients address ‘192.168.2.0/24’
set system ntp listen-address ‘192.168.1.1’
set system ntp listen-address ‘192.168.2.1’
set system ntp server 0.au.pool.ntp.org
set system ntp server 1.au.pool.ntp.org
set system ntp server 2.au.pool.ntp.org

firewall@box:~$ show configuration commands | grep time-zone
set system time-zone ‘Australia/Victoria’

irewall@box:~$ show configuration commands | grep time-zone
set system time-zone ‘Australia/Victoria’
firewall@box:~$ timedatectl
Local time: Mon 2021-10-04 16:49:30 AEDT
Universal time: Mon 2021-10-04 05:49:30 UTC
RTC time: Mon 2021-10-04 05:49:31
Time zone: Australia/Victoria (AEDT, +1100)
System clock synchronized: yes
NTP service: inactive
RTC in local TZ: no

firewall@box:~$ show ntp
remote refid st t when poll reach delay offset jitter
==============================================================================
+139.180.160.82 203.4.241.5 2 u 216 1024 377 22.247 -2.151 0.840
*220.158.215.21 202.46.178.18 2 u 379 1024 377 21.732 0.181 1.458
+103.76.40.123 203.35.83.242 2 u 251 1024 377 22.679 -0.716 0.446

Removed UTC statements so that it looks at normal time?

set firewall name INSIDE-OUTSIDE rule 1101 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1101 description ‘Allow OUTSIDE 4:30PM-4:50PM’
set firewall name INSIDE-OUTSIDE rule 1101 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1101 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1101 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1101 source group address-group ‘AG_INSIDE_TIMED’
set firewall name INSIDE-OUTSIDE rule 1101 time starttime ‘16:45:00’
set firewall name INSIDE-OUTSIDE rule 1101 time stoptime ‘16:50:00’

Run it and hit the [INSIDE-OUTSIDE-default-D]

Anything else that needs configuring?

Kind Regards

blackhole · October 4, 2021, 6:29am

Mine appears to NOT be working using regular time, I dont use this starttime and stoptime but I just put it up on my ICMP outbound rule to help test it out. Very weird…

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 05:14:00
     stoptime 05:30:00
 }

I then changed it to UTC mode and this actually works!
However I have had to ping a different IP as the other one was still in the connection table

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 06:20:00
     stoptime 06:26:00
     utc
 }

blackhole · October 4, 2021, 6:32am

So I am failing at multitasking but even with the right time it still does not woirk (24 hour time)

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 17:30:00
     stoptime 17:35:00
 }

anowak · October 4, 2021, 6:33am

First rule should be

mario@vyos007# show firewall name lan-wan rule 100
action accept
log enable
protocol icmp
time {
monthdays 4
starttime 17:14:00
stoptime 17:30:00
}

Regards

anowak · October 4, 2021, 6:34am

What version are you running?

Either way looks like I’ll need to write a script that detects ADST and rewrites my rules.

Thanks!

blackhole · October 4, 2021, 6:36am

Yeah mildly infuriating problem, sounds like a bit of a bug along the way

mario@vyos007# run show version

Version:          VyOS 1.4-rolling-202109280217
Release train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Tue 28 Sep 2021 02:17 UTC
Build UUID:       a018849b-4c19-4ce3-9245-bcf5ed14ce21
Build commit ID:  074d033d38271c

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 1f 29 92 a1 0b 9f a2-cc e7 85 32 d3 2a 7a 9a
Hardware UUID:    92291f42-0ba1-a29f-cce7-8532d32a7a9a

Copyright:        VyOS maintainers and contributors

anowak · October 31, 2021, 12:32am

Hi Rempel,

IP tables only supports creating rules using UTC time.
Adding ‘time utc’ makes no difference.

Bug report filed.
https://phabricator.vyos.net/T3895

Basically a scripted cron job needs to rewrite your rules 1hr forward or backwards depending on DST.

Unless someone else has other ideas.