There is a way to do time-based rules on pf? Something like "this packet will /pass/ from 10h to 13h" or "this packet will /pass/ until 22h, 13 june". I mean, there is a built-in mechanic to do this in pf or i'll need to write a script in cron to add and remove rules? Tks in advance --
On Mon, May 17, 2010 at 5:03 PM, Leonardo Carneiro - Veltrac < As nobody jumps in here to -kind of- state the obvious, I dont think there's such a thing already *built-in*. For the archive and newcomers, you achieve this kind of things, though, with anchors and some duct tape scripting.
Build an anchor, have a ruleset loaded to it by cron, and removed at the specified time later. On Mon, May 17, 2010 at 7:03 AM, Leonardo Carneiro - Veltrac
there might be more than that; unless you don't mind long-running sessions continuing, you have to flush the states too.
Tks Stuart, Iqigo, Johan and Peter. I'll give a try at the tips you guys gave me.
There is no 'time based rules' feature in PF itself, but as others have mentioned already, if you need to add or remove entire rules, you can do that via anchors. For contexts where you want to add or remove hosts from the set that matches a particular rule, you could write rules that match on table membership and manipulate the tables. Depending on your specific needs, cron or at jobs with pfctl one-liners could go a long way. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd: 220.127.116.11: disconnected after 42673 seconds.
As you already know, that feature doesn't exist. cron should help this time -if you have any faith at all in its granularity!-. You'd better write some kind of daemon to help updating those pf tables on the fly... May the code be with you.
|Rusty Russell||Re: 2.6.22-rc3-mm1|
|Bill Fink||Re: [PATCH] net: add ability to clear stats via ethtool - e1000/pcnet32|
|Jeffrey V. Merkey||Re: Versioning file system|
|Alexey Dobriyan||Re: [18.104.22.168 review 09/84] Fix rfkill IRQ flags.|
|Luben Tuikov||Re: Integration of SCST in the mainstream Linux kernel|
|Linux Kernel Mailing List||V4L/DVB: tm6000: add special usb request to quit i2c tuner transfer|
|Linux Kernel Mailing List||OMAP: DSS2: SDI driver|
|Linux Kernel Mailing List||PCI: introduce pci_pcie_cap()|
|Linux Kernel Mailing List||drivers/acpi: use kasprintf|
|Linux Kernel Mailing List||PCI hotplug: acpiphp: remove superfluous _HPP/_HPX evaluation|
|David Miller||Re: [2.6.30-rc3] powerpc: compilation error of mace module|
|Rafael J. Wysocki||Re: [PATCH] igb: fix kexec with igb|
|Patrick McHardy||Re: [rfc 02/13] [RFC 02/13] netfilter: nf_conntrack_sip: Add callid parser|
|Krzysztof Oledzki||Re: Error: an inet prefix is expected rather than "0/0".|
|Ted Bullock||Re: Proliant DL380 G3 cannot get on network|
|Jack J. Woehr||Re: Real men don't attack straw men|
|Úlfar M. E. Johnson||installing openbsd in xen|
|Eric Furman||Re: Defending OpenBSD Performance|
|Tony Abernethy||Re: The Atheros story in much fewer words|
|Oliver Kullmann||Re: how to move with history?|
|Junio C Hamano||Re: [PATCH 2/3] git-add--interactive: remove hunk coalescing|
|Shawn O. Pearce||Re: Bugs in Gitosis|
|Alex Riesen||Re: git exclude patterns for directory|
|David Kastrup||Re: I'm a total push-over..|