Bug #9615
closed
Connections permitted by a schedule are not killed when that schedule expires.
0%
Description
On the /system_advanced_misc.php page, under Schedule States it states that "By default, when a schedule expires, connections permitted by that schedule are killed. This option overrides that behavior by not clearing states for existing connections." This is definitely NOT HAPPENING, and it has not been happening for quite some time judging from the research I've done.
I have an alias for each of my kids. I have all of their respective devices covered by each of their respective aliases. I have a reject everything rule for each of their respective aliases, and I have a pass rule for each of their respective aliases above each of their respective reject rules. Each of their pass rules is associated with a schedule with more than one block of time defined. I can assure you that the aforementioned default behavior, whereby connections permitted by a schedule are killed when a schedule expires IS NOT HAPPENING. Pre-established connections are not interrupted, such as iMessages, Facetime, and other connections that I have yet to determine. The iOS devices are definitely able to continue to reach out to the internet when their are supposed to be blocked.
Files
| Screen Shot 2019-07-08 at 08.51.27.png (173 KB) Screen Shot 2019-07-08 at 08.51.27.png | Screenshot of Rules | ||
| NAT Rules-Redacted.txt (6.09 KB) NAT Rules-Redacted.txt | NAT rules (verbose) | ||
| FW-Rules-Redacted.txt (27.8 KB) FW-Rules-Redacted.txt | Firewall rules (verbose) | ||
| UDP States - Before and After-Redacted.txt (1.79 KB) UDP States - Before and After-Redacted.txt | UDP states before and after for example host |
Updated by Victor Rodriguez over 5 years ago
UPDATE: The wifi router is behind the pfSense firewall. All devices on the network (including the wifi router) get their IP addresses and DNS from the pfSense firewall and not from the wifi router.
Updated by Benjamin Lee over 4 years ago
- File FW-Rules-Redacted.txt FW-Rules-Redacted.txt added
- File NAT Rules-Redacted.txt NAT Rules-Redacted.txt added
- File UDP States - Before and After-Redacted.txt UDP States - Before and After-Redacted.txt added
To whom it may concern,
I have also encountered this bug as documented in this NetGate forum thread:
"https://forum.netgate.com/topic/152824/sg-5100-udp-states-still-alive-after-schedule-expires-2-4-5-release-amd64"
The information I present on that thread shows that LAN side states spawned under the user created pass by schedule rule ARE terminated when the schedule ends, but the matching state on the WAN side (outbound to the internet) does not.
Then the firewall itself creates a matching state into the LAN from the WAN side so that traffic continues to flow both directions for that set of states.
This is not expected and in my opinion very bad behavior. If the matching state on the WAN side is manually deleted (or deleted via a cron task), then as expected the traffic ceases for that LAN state.
Attached are a series of files that should show the issue.
The UDP states show clearly that the WAN side state was spawned by a rule outside the pass by schedule user rule and survives the expiration. What is unexpected is the spawning of a new state from the WAN to the LAN by a Firewall rule.
In my opinion, when the schedule expires, the states spawned by the rule and their counterpart on the WAN interface should be killed.
Please contact me if you need further information.
Phizix
Updated by Jim Pingle over 4 years ago
- Status changed from New to Duplicate
- Priority changed from High to Normal
Duplicate of #8820