Potential firewall bug

General questions.
Post Reply
Posts: 34
Joined: January 23rd, 2018, 11:15 pm

Potential firewall bug

Post by schnappi » April 13th, 2018, 12:12 am

Have a firewall rule set for every day with the time constraint of 20:00 to 08:00. This rule never activates and the port is never opened.

Since started using IPFire have misunderstood how some things worked and mistaken things for bugs. With this in mind didn't jump to conclusions. Copied the rule and set it for another port/ program. Same thing. The rule never activated.

As soon as change the rule to 21:00 to 08:00 the firewall activates and it works fine. Turn it back to 20:00 to 08:00 and it stops working.

Could someone else create a test firewall rule using a daily time constraint of 20:00 to 08:00 and see if the rule activates to either rule out or confirm a bug?

Posts: 8
Joined: January 12th, 2018, 12:42 am

Re: Potential firewall bug

Post by InTheLight » April 14th, 2018, 9:37 pm

I also have a rule with time constraints that appears to be non-functional, it's a simple rule to block RED access for a host group from 22:30 to 04:00. Haven't been able to figure out why it doesn't work, will try changing the time as you did and see if it works.

Posts: 2694
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Potential firewall bug

Post by BeBiMa » April 14th, 2018, 10:40 pm

I think there are two problems:
- time constraints which contain midnight. There is an extra option --contiguous necessary in the iptables rule. This could be fixed by a little patch. I'll contribute this tomorrow to bugzilla.
- time constraints are functional for new connections only. The stateful firewall of IPFire accepts all traffic of existent connections. This may result in a behaviour which let those rules seem not to be active.
Unitymedia Cable Internet ( 32MBit )

Posts: 31
Joined: April 21st, 2015, 7:56 am

Re: Potential firewall bug

Post by Aurien » April 16th, 2018, 6:42 am

I've ran into this same issue myself awhile back. I was trying to create a firewall rule that from 23:00 to 05:30 dropped (not rejected) traffic from an IP on Green to the Red interface in general. The only way I got the rule to work was to setup two separate rules. One from 23:00 to 00:00 and another from 00:00 to 05:30. Probably should have created a bug report. :-[

Post Reply