Blocking input and forward traffic from IP

fleg · May 26, 2020, 7:42pm

Hello guys, I have a strange issue in my MT fw.
I have one rule in INPUT a one rule in forward but they are no working properly.
First input rule is the client from internet should be connect to the server behind GW (MT) except defined hours.

1 ;;; Block PC client Heneken BA
chain=input action=drop connection-state=“” connection-nat-state=dstnat
src-address=176.10.43.91 time=19h-8h,sun,mon,tue,wed,thu,fri,sat log=no
log-prefix=“”

The result is drop is not working…I think because client had established connection before 19:00 or because fastrack is active(?)

2nd issue is similar.
My son has active internet in my home gw only from 9-12 a.m. If he try make new connection after 12:00 drop is working properly. If he has connection to the server established before between 9-12:00 drop is inactive and e.g. he can continue playing game after 12:00…he is clever, he found hole in my firewall;o). Have I specify rule for established connections?

11 I ;;; Povolenie netu nb
;;; inactive time
chain=forward action=accept src-address=10.100.10.90
time=9h-12h,sun,mon,tue,wed,thu,fri,sat log=no log-prefix=“”

16 chain=forward action=drop src-address=10.100.10.90
dst-address=!10.100.0.0/16 log=no log-prefix=“”

Can you update my firewall rules properly?
I have ROS 6.46.6 in the both cases.

anav · May 26, 2020, 7:47pm

Glad to have a look, but not at snippets.
Please post config
/export hide-sensitive file=anynameyouwish

fleg · May 26, 2020, 8:29pm

Thank you for your goodwill but can you write me examples rather? How you solving these tasks?
Lets assume classic unboxed MT with factory default fw settings (SRCNAT, DSTNAT). How can I block ALL DSTNAT connections from specified IP at the specifed time in the INPUT? How can I block ALL conections from specified LAN IP in specified time in FORWARD? I thought all the time I have the right rules but it seems Im wrong.

Edit: I repaired my 1st case…the right rule is:

1 ;;; Block PC client Heneken BA
chain=forward action=drop connection-state=“” connection-nat-state=dstnat
protocol=tcp src-address=176.10.43.91
time=19h-8h,sun,mon,tue,wed,thu,fri,sat log=no log-prefix=“”

gazingbazooka · May 26, 2020, 8:49pm

That’s not how anav works

msatter · May 26, 2020, 10:29pm

And that is not how this forum or any other medium works to post IP addresses in public (personal data).

And for kids there is a special kid control unit available under /ip.