Time based firewall rules in LUCI interface

Jiri_Stepan · March 10, 2018, 6:09pm

I tried several times to setup time based rules. Typical usage is to deny internet access to kid’s mobile after 8pm.
But I’m not successfull.

This is an example of configuration:

The rule works, but only without time information. It blocks device access LAN → WAN.
But when I enter any time data (or check days) etc. It simply don’t work and device has internet access.

The rule is not in IP table. It looks like system ignores time and rule is inactive all the time.

Where can be problem?

Fenevadkan · March 10, 2018, 10:45pm

Hi,

based on your screenshot, the problem could be that you have not selected any day information for your time information. I would expect you need to select e.g. all working days: monday, tuesday, wednesday, thursday, friday. Or select at least one day of the month.

Jiri_Stepan · March 11, 2018, 9:08am

Thanks for reply. It gives me inspiration for experiments and I finally found solution.

I have modified my rule in this way:

This creates folowing section in IPTABLES:

Chain zone_lan_forward (1 references)
target     prot opt source               destination
forwarding_lan_rule  all  --  anywhere             anywhere             /* !fw3: user chain for forwarding */
zone_wan_dest_REJECT  tcp  --  anywhere             anywhere             MAC 9C:5C:F9:C7:4C:CD TIME from 09:50:00 to 09:55:00 starting from 2015-01-01 00:00:00 until date 2020-01-01 00:00:00 /* !fw3: test time rule */
zone_wan_dest_REJECT  udp  --  anywhere             anywhere             MAC 9C:5C:F9:C7:4C:CD TIME from 09:50:00 to 09:55:00 starting from 2015-01-01 00:00:00 until date 2020-01-01 00:00:00 /* !fw3: test time rule */
zone_wan_dest_accept  all  --  anywhere             anywhere             /* !fw3: forwarding lan -> wan */
accept     all  --  anywhere             anywhere             ctstate DNAT /* !fw3: Accept port forwards */
zone_lan_dest_accept  all  --  anywhere             anywhere             /* !fw3 */

I did sime more experiments and my results are following:

You have to specify not only start/end time but start/end date as well
Days in checkboxes seem to be ignored. They don’t appear in firewall rule in any way
The time is always in UTC. And it was my problem. I’m from GMT+1 zone. Date in my router is in GMT+1. But firewall appears to use UTC time. During my testing it looks like the rule doesn’t work.

The result is: When I set time rules in UTC time, it works.

lcerny · March 13, 2018, 7:57pm

I use this /etc/config/firewall rule for such cases few years on Turris 1.0:

config rule
option name 'Tablet block at evening’
option src 'lan’
option dst 'wan’
option src_mac 'c4:0b:cb:ae:3e:e3’
option extra '-m time --weekdays Mon,Tue,Wed,Thu,Sun --timestart 21:00 --timestop 07:00 --kerneltz’
option target ‘REJECT’

The point is “-kerneltz” param.