Home » Mailing list archives » openbsd-misc » 2010 » May » 17

time based rules on pf

Previous thread: Reminder: OpenBSD release party Amsterdam by Floor Terra on Monday, May 17, 2010 - 6:52 am. (1 message)

Next thread: Atualização Obrigatoria by Info Email Bradesco on Monday, May 17, 2010 - 8:28 am. (1 message)
[view original message]
From: Leonardo Carneiro - Veltrac
Subject: time based rules on pf
Date: Monday, May 17, 2010 - 7:03 am

There is a way to do time-based rules on pf? Something like "this packet 
will /pass/ from 10h to 13h" or "this packet will /pass/ until 22h, 13 
june". I mean, there is a built-in mechanic to do this in pf or i'll 
need to write a script in cron to add and remove rules?

Tks in advance
-- 


[ message continues ]
[view original message]
From: Iñigo Ortiz de Urbina
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 7:26 am

On Mon, May 17, 2010 at 5:03 PM, Leonardo Carneiro - Veltrac <
As nobody jumps in here to -kind of- state the obvious, I dont think there's
such a thing already *built-in*.

For the archive and newcomers, you achieve this kind of things, though, with
anchors and some duct tape scripting.


[ message continues ]
[view original message]
From: Johan Beisser
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 8:15 am

Build an anchor, have a ruleset loaded to it by cron, and removed at
the specified time later.

On Mon, May 17, 2010 at 7:03 AM, Leonardo Carneiro - Veltrac


[ message continues ]
[view original message]
From: Stuart Henderson
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 10:20 am

there might be more than that; unless you don't mind long-running
sessions continuing, you have to flush the states too.


[ message continues ]
[view original message]
From: Leonardo Carneiro - Veltrac
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 12:01 pm

Tks Stuart, Iqigo, Johan and Peter. I'll give a try at the tips you guys 
gave me.


[ message continues ]
[view original message]
From: Peter N. M. Hansteen
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 8:58 am

There is no 'time based rules' feature in PF itself, but as others
have mentioned already, if you need to add or remove entire rules, you
can do that via anchors.  For contexts where you want to add or remove
hosts from the set that matches a particular rule, you could write
rules that match on table membership and manipulate the tables.
Depending on your specific needs, cron or at jobs with pfctl
one-liners could go a long way.

- P
-- 
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.


[ message continues ]
[view original message]
From: Daniel Gracia Garallar
Subject: Re: time based rules on pf
Date: Monday, May 17, 2010 - 7:17 am

As you already know, that feature doesn't exist. cron should help this 
time -if you have any faith at all in its granularity!-.

You'd better write some kind of daemon to help updating those pf tables 
on the fly...

May the code be with you.



[ message continues ]
Previous thread: Reminder: OpenBSD release party Amsterdam by Floor Terra on Monday, May 17, 2010 - 6:52 am. (1 message)

Next thread: Atualização Obrigatoria by Info Email Bradesco on Monday, May 17, 2010 - 8:28 am. (1 message)