Firewall don't deactivates roles

capote · March 12, 2021, 11:44am

Hello, today I was fighting with the firewall because I want to “help” my son to focus more on real life (and especially on sleeping at night) during homeschooling instead of only being on the internet. Believe me, it was the last escalation stage, because pedagogical methods did not work.

Procedure to reproduce:

Create a Host Group “blocked devices”
add devices
create a time condition: evening
create a rule:
Source: Host group “blocked devices”
Destination: RED
Service: any
Acton: Drop
Time condition: evening
The role works correctly but don’t stop blocking at the defined end
deactivation of the role don’t stop blocking
deleting the rule, the host group and the time condition don’t stop blocking

Only restore the hole server to a backup configuration unblocks the affected hosts.

I can’t explain this firewall misbehavior any other way than with a bug.
Sincerely, Marko

mrmarkuz · March 12, 2021, 3:02pm

Maybe the end time needs to be after the start time and in your case it may be like from 22:00 to 8:00.

capote · March 12, 2021, 3:54pm

I’ve defined from 20:30 to 23:59

But the big problem was that the clients were still blocked after disabling + deleting all rules

mrmarkuz · March 12, 2021, 3:57pm

Did you try to restart services or reboot the server?

capote · March 12, 2021, 3:58pm

of course

filippo_carletti · March 12, 2021, 4:10pm

Time-based rules have been thoroughly tested, but you may have found a bug.
Please look for the rule in /etc/shorewall/rules to see its definition.
And provide the output of shorewall dump.

capote · March 12, 2021, 4:26pm

I rather doubt that I of all people should have found a bug in such an often used module. but I had no other explanation.

Unfortunately I had to provide quite ad-hoc again a functioning system, So that the distance teaching is not hindered. With the import of the backup, however, all traces are unfortunately obliterated.