VyOS handles Day Light Saving

Hi,

I am using starttime and stoptime for some of my rules. Currently I can only get these rules to work when the rule uses UTC times. I was wondering how this is effected by daylight saving time that just kicked in.

set firewall name INSIDE-OUTSIDE rule 550 description ‘Allow Web Ports 8:30AM-8:30PM’
set firewall name INSIDE-OUTSIDE rule 550 time starttime ‘21:30:00’
set firewall name INSIDE-OUTSIDE rule 550 time stoptime ‘20:30:00’

I’ve had to go and change all the rules. Is there anyway to get around this without setting Vyos to use UTC and ADST instead?

Kind Regards

VyOS keeps time just fine and this should be not a problem at all.
Make sure your time is set and confirm the time matches (Hi from VIC)

mario@vyos007:~$ show configuration commands | grep ntp
set system ntp listen-address '192.168.67.252'
set system ntp server 192.168.67.241
set system ntp server 192.168.67.242

mario@vyos007:~$ show configuration commands | grep time-zone
set system time-zone 'Australia/Melbourne'
mario@vyos007:~$ date
Mon 04 Oct 2021 01:03:56 PM AEDT

also

mario@vyos007:~$ timedatectl
               Local time: Mon 2021-10-04 13:08:03 AEDT
           Universal time: Mon 2021-10-04 02:08:03 UTC
                 RTC time: Mon 2021-10-04 02:08:03
                Time zone: Australia/Melbourne (AEDT, +1100)
System clock synchronized: yes
              NTP service: n/a
          RTC in local TZ: no

and

mario@vyos007:~$ show ntp
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*192.168.67.241  203.57.115.181   3 u  598 1024  377    0.270   -6.007   3.927
+192.168.67.242  192.168.67.241   4 u  172 1024  377    0.397   -2.044   2.564

Use the above and show ntp info to confirm NTP is syncing up fine etc

1 Like

Hi Blackhole,

Awesome!
I was going off this post, believing it was only possible to use UTC time.
Firewall Time feature - I can't get this to work..Need Help! - #4 by chappyca - omamenko

Regards

Hi Blackhole,

Note: running 1.3RC6

No luck with using normal time rule to block and unblock traffic.

firewall@box:~$ show configuration commands | grep ntp
set system ntp allow-clients address ‘192.168.1.0/24’
set system ntp allow-clients address ‘192.168.2.0/24’
set system ntp listen-address ‘192.168.1.1’
set system ntp listen-address ‘192.168.2.1’
set system ntp server 0.au.pool.ntp.org
set system ntp server 1.au.pool.ntp.org
set system ntp server 2.au.pool.ntp.org

firewall@box:~$ show configuration commands | grep time-zone
set system time-zone ‘Australia/Victoria’

irewall@box:~$ show configuration commands | grep time-zone
set system time-zone ‘Australia/Victoria’
firewall@box:~$ timedatectl
Local time: Mon 2021-10-04 16:49:30 AEDT
Universal time: Mon 2021-10-04 05:49:30 UTC
RTC time: Mon 2021-10-04 05:49:31
Time zone: Australia/Victoria (AEDT, +1100)
System clock synchronized: yes
NTP service: inactive
RTC in local TZ: no

firewall@box:~$ show ntp
remote refid st t when poll reach delay offset jitter
==============================================================================
+139.180.160.82 203.4.241.5 2 u 216 1024 377 22.247 -2.151 0.840
*220.158.215.21 202.46.178.18 2 u 379 1024 377 21.732 0.181 1.458
+103.76.40.123 203.35.83.242 2 u 251 1024 377 22.679 -0.716 0.446

Removed UTC statements so that it looks at normal time?

set firewall name INSIDE-OUTSIDE rule 1101 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1101 description ‘Allow OUTSIDE 4:30PM-4:50PM’
set firewall name INSIDE-OUTSIDE rule 1101 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1101 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1101 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1101 source group address-group ‘AG_INSIDE_TIMED’
set firewall name INSIDE-OUTSIDE rule 1101 time starttime ‘16:45:00’
set firewall name INSIDE-OUTSIDE rule 1101 time stoptime ‘16:50:00’

Run it and hit the [INSIDE-OUTSIDE-default-D]

Anything else that needs configuring?

Kind Regards

Mine appears to NOT be working using regular time, I dont use this starttime and stoptime but I just put it up on my ICMP outbound rule to help test it out. Very weird…

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 05:14:00
     stoptime 05:30:00
 }

I then changed it to UTC mode and this actually works!
However I have had to ping a different IP as the other one was still in the connection table

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 06:20:00
     stoptime 06:26:00
     utc
 }

So I am failing at multitasking but even with the right time it still does not woirk (24 hour time)

mario@vyos007# show firewall name lan-wan rule 100
 action accept
 log enable
 protocol icmp
 time {
     monthdays 4
     starttime 17:30:00
     stoptime 17:35:00
 }

First rule should be

mario@vyos007# show firewall name lan-wan rule 100
action accept
log enable
protocol icmp
time {
monthdays 4
starttime 17:14:00
stoptime 17:30:00
}

Regards

1 Like

What version are you running?

Either way looks like I’ll need to write a script that detects ADST and rewrites my rules.

Thanks!

Yeah mildly infuriating problem, sounds like a bit of a bug along the way

mario@vyos007# run show version

Version:          VyOS 1.4-rolling-202109280217
Release train:    sagitta

Built by:         autobuild@vyos.net
Built on:         Tue 28 Sep 2021 02:17 UTC
Build UUID:       a018849b-4c19-4ce3-9245-bcf5ed14ce21
Build commit ID:  074d033d38271c

Architecture:     x86_64
Boot via:         installed image
System type:      VMware guest

Hardware vendor:  VMware, Inc.
Hardware model:   VMware Virtual Platform
Hardware S/N:     VMware-42 1f 29 92 a1 0b 9f a2-cc e7 85 32 d3 2a 7a 9a
Hardware UUID:    92291f42-0ba1-a29f-cce7-8532d32a7a9a

Copyright:        VyOS maintainers and contributors

Hi Rempel,

IP tables only supports creating rules using UTC time.
Adding ‘time utc’ makes no difference.

Bug report filed.
https://phabricator.vyos.net/T3895

Basically a scripted cron job needs to rewrite your rules 1hr forward or backwards depending on DST.

Unless someone else has other ideas.