Community discussions

 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Time Based firewaal rules

Thu Jun 06, 2019 10:55 am

Hello friends,
I have a simple firewall rule ""chain=forward action=drop protocol=tcp in-interface=vlan202_1LYK dst-port=25,587,465 time=8h-10h,sun,mon,tue,wed,thu,fri,sat log=no
log-prefix=""
I want this rule to be applied for the same ours but for different days for example in mon,wed,fri
The problem is that if i choose, lets say these 3 days, the rule doesn't become active. If it is monday 08:20 the rule still says inactive time, on wed it says the same.
It only works if i tik all of the days, but i don't want that!!!
The system clock is synchronized.
Anybody have an idea?
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Time Based firewaal rules

Thu Jun 06, 2019 2:26 pm

Synchronize time on routerboard with ntp client or manually ?
 
User avatar
skylark
MikroTik Support
MikroTik Support
Posts: 106
Joined: Wed Feb 10, 2016 3:55 pm

Re: Time Based firewaal rules

Thu Jun 06, 2019 2:33 pm

Can you give us one particular example?
I just checked with the quick firewall and ICMP drop, everything works how it should.
 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Re: Time Based firewaal rules

Thu Jun 06, 2019 4:05 pm

Synchronize time on routerboard with ntp client or manually ?
With ntp client!!!
 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Re: Time Based firewaal rules

Thu Jun 06, 2019 4:11 pm

Can you give us one particular example?
I just checked with the quick firewall and ICMP drop, everything works how it should.
For example i want that rule to be applied tomorrow Friday 07 June and Sunday 9 June on the same time (08:00 - 10:00) . If i check fri and sun, when time has reached 08:01 it sould become active, but it doesn't!!! Only if i check all of the days then it becomes active on Fri at 08:01. It's crazy!!!
I hope you undestood my example!!
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Time Based firewaal rules

Fri Jun 07, 2019 12:18 am

I have never had any time based firewall rules, but because of this thread, I created one for a test. The rule was a simple rule to drop all ICMP packets from the internet at the beginning of my Input chain with no time restriction. I am not at the location of this router, so my access is only via the internet. I then started a continuous ping from another computer. As soon as I enabled the rule, pings started failing. This was expected, but I wanted to verify that the rule was working. I then modified the rule to add a time restriction from 14:00:00 until 14:05:00 on Thursday. WinBox correctly showed the rule as inactive time. A few minutes later, 14:00:00 rolled around and WinBox showed the rule active and the pings started failing. At 14:05:00, WinBox then showed the rule as inactive time and the pings started working.
Just for good measure, I modified the rule again to have a time restriction of 14:15:00 - 14:16:00 on Sunday, Tuesday, Thursday, and Saturday. It worked perfectly.
Test performed on a RB-750Gr3 running ROS 6.44.1
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: Time Based firewaal rules

Fri Jun 07, 2019 8:31 am

Synchronize time on routerboard with ntp client or manually ?
With ntp client!!!
NTP . In ROS this is System-SNTP client .
 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Re: Time Based firewaal rules

Fri Jun 07, 2019 10:01 am

I have never had any time based firewall rules, but because of this thread, I created one for a test. The rule was a simple rule to drop all ICMP packets from the internet at the beginning of my Input chain with no time restriction. I am not at the location of this router, so my access is only via the internet. I then started a continuous ping from another computer. As soon as I enabled the rule, pings started failing. This was expected, but I wanted to verify that the rule was working. I then modified the rule to add a time restriction from 14:00:00 until 14:05:00 on Thursday. WinBox correctly showed the rule as inactive time. A few minutes later, 14:00:00 rolled around and WinBox showed the rule active and the pings started failing. At 14:05:00, WinBox then showed the rule as inactive time and the pings started working.
Just for good measure, I modified the rule again to have a time restriction of 14:15:00 - 14:16:00 on Sunday, Tuesday, Thursday, and Saturday. It worked perfectly.
Test performed on a RB-750Gr3 running ROS 6.44.1
Thank you for the example and that is the way it should work. Unfortunately it doesn't happen to me. My rule which is as simple as yours becomes active only when i check all days. I don't know why yet but i will find out!!!!! Thanks for the try!!!!!
 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Re: Time Based firewaal rules

Fri Jun 07, 2019 10:26 am

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine.
Thank you all!!!!
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: Time Based firewaal rules

Fri Jun 07, 2019 4:53 pm

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine.
Thank you all!!!!
I definitely did not have to reset counters to make it work. What hardware and ROS version?
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
XenosTh
just joined
Topic Author
Posts: 17
Joined: Wed Feb 13, 2019 4:54 pm

Re: Time Based firewaal rules

Sat Jun 08, 2019 9:23 am

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine.
Thank you all!!!!
I definitely did not have to reset counters to make it work. What hardware and ROS version?
6.43.11 CRS125-24G-1S
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1392
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Randburg
Contact:

Re: Time Based firewaal rules

Sat Jun 08, 2019 8:53 pm

I figured it out!! You have to specify the time and day or days that you want the rule to be applied and then you have to press reset all counters to reset everything and allow the new rule to be applied. I checked it 3-4 times and it worked fine.
Thank you all!!!!

I suspect that you have a rule before this one that accepted established / related and packets did not reach your "time based" rule, by resetting all counters, it probably re initiated all rules which caused "new" connections to reach the time rule.

Difficult to say without seeing rest of firewall config.
MTCNA, MTCTCE, MTCRE & MTCINE
 
sindy
Forum Guru
Forum Guru
Posts: 3810
Joined: Mon Dec 04, 2017 9:19 pm

Re: Time Based firewaal rules

Sat Jun 08, 2019 9:24 pm

I suspect that you have a rule before this one that accepted established / related and packets did not reach your "time based" rule, by resetting all counters, it probably re initiated all rules which caused "new" connections to reach the time rule.
This would be a bug too. Resetting rule counters has normally nothing to do with removing connections.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot], MSN [Bot] and 93 guests