On Fri, 7 Apr 2017 17:39:16 +0000 (UTC) Stuart Henderson <s...@spacehopper.org> wrote:
> On 2017-04-06, <bytevolc...@safe-mail.net> > <bytevolc...@safe-mail.net> wrote: > > On Wed, 5 Apr 2017 22:44:54 +0000 (UTC) > > Stuart Henderson <s...@spacehopper.org> wrote: > > > >> On 2017-04-05, <bytevolc...@safe-mail.net> > >> <bytevolc...@safe-mail.net> wrote: > >> > I've been using a trick to emulate scheduled rules using IP > >> > tables. > >> > >> Nice trick. Anchors are also good for this. > >> > >> But don't forget that active connections won't be dropped unless > >> you also flush the relevant states. > >> > > > > Anchors do not work with securelevel=2. This trick works in > > securelevel=2. > > Oh, people actually use that? :) Oh I reckon someone out there runs tetris(6) on their firewall. I use it when I am confident the ruleset is stable. Of course, I have to restart the gateway everytime I change the rules. > > > As for active connections, the goal here is to prevent new > > connections being made after closing time. I don't want my > > connection to close just because it is a few seconds after closing > > time, especially when I already got in before the ports were > > closed. It may be worth closing long-standing connections > > eventually though. > > > > Maybe something like this: > > > > 0 18 * * * * root /sbin/pfctl -F states > > > > > > If it's given as an example for something, it's definitely important > to point out about active connections. -F states will kill the > "wanted" states too, I use pfctl -k to knock out just the relevant > hosts. > I was wondering about that. I missed -k while scrolling through the man page. Labeling the rules may also be helpful: # Schedule Table table <schedule_ip> persist # Scheduled access to HTTP pass in on egress proto tcp from <schedip> to any port http rdr-to $web_server keep state label sched_ip # Scheduled access to SSH pass in on egress proto tcp from <schedip> to any port ssh keep-state label sched_ip System crontab: 0 18 * * * root /sbin/pfctl -k label -k sched_ip