1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Time based access restrictions not working

Discussion in 'Sveasoft Firmware' started by mikebo, Oct 11, 2004.

  1. mikebo

    mikebo Network Guru Member

    Hi - I'm a new user of the latest public release, Satori-4.0 v2.07.1.7sv, and I'm trying to make time-based access restrictions work.

    I define one IP address (my kids computer) and save, then used these settings:
    Status: Enable
    Allow internet access during selected days and hours.
    Days: Sun & Sat
    Times: from 1pm to 11pm

    Everything else is default:
    Blocked Services: None
    Website blocking by URL address: blank
    Website blocking by keywork: blank

    This is set up similar to my old SonicWall, but the times come and go with no restrictions. Kids computer can access the internet at all times. Similar experiments with other machines yield the same results - I am unable to make time-based access work.

    Is this a known problem or am I missing anything obvious? (like setting a default block on the IP address)

    I'm not a SVEAsoft subscriber, yet... evaluating this free release first before investing my $20. Any help with access restrictions would be appreciated.
    Thanks!
    - Mike
     
  2. Toxic

    Toxic Administrator Staff Member

    try creating a policy for times allowed. then last policy create deny 2/7 everyday

    see if that works. I think the initil policies override the last one unless timings in first 2 policies are not used.


    policy 1
    Saturday allow 1pm-11pm define IP.


    policy 2
    Sunday allow 1pm-11pm define IP.


    policy 3

    Everyday deny 24hrs define ip.

    let me know if this works.
     
  3. mikebo

    mikebo Network Guru Member

    Simon -
    Thanks for the prompt reply. When I add a 24/7 deny as suggested, the machine is blocked at all times. I didn't try making seperate allow rules for each day - I'll try but I suspect this won't make a difference.
    - Mike
     
  4. Toril

    Toril Network Guru Member

    What he's trying to say is that the order of the rules is important. I used to have an old netgear router that worked great to enforce my stepson's internet times (sun - thurs, 5am - 11pm) but once I found out about the WRT54G running Linux, I tossed it. So, on weekdays he's allowed to be on until 11pm and weekends are 24/7.

    My rules are as follows, and they work perfect:

    1) School Nights Allow - Mon-Thurs, 5am - 11pm his IP and mac address.
    2) Weekends Allow - Fri & Sat, 24 hours, his IP and mac address
    3) Sundays Allow - 12am - 11pm, his IP and mac address
    4) Default Deny - 24 hours Deny, his IP and mac address

    Originally I had 3 rules, where I counted Sunday as a weekday ... only problem was ... at midnight on saturday night, it was Sunday instantly, so the internet would go off until 5 am ... so I needed a new rule to redfine Sunday.

    Take a day and time and see which rule matches... Tuesday at 4am? Matches rule #4, no access. Sunday 2pm? Matches rule #3. Also, my firmware is a slightly modified Satori 4, but the access restrictions work just fine.
     
  5. Toxic

    Toxic Administrator Staff Member

    well if you didn't make allow timings it will block 24/7 ;)

    make sure the allow timings are BEFORE the deny timing as stated.
     
  6. mikebo

    mikebo Network Guru Member

    Simon, you're saying that I must have alternating rules specifically allowing, then dis-allowing, then reallowing access? I'm thinking that I should be able to define an explicit deny (at the end) and ensure allow exceptions are evaluated first per Toril's example. (I understand order of evaluation rules and used to administer SonicWalls, Firewall-1 and Cisco extended access lists - but IPtables syntax is new to me).

    I did define the allow rules (1 and 2) before the "default" 24/7 deny rule (3) exactly per Toril's example. But my deny rule seemed to take precendence over the allow rules, regardless of its position at the end. I SSHed into the box and looked at the iptables, but I don't understand them enough yet to start mucking about outside the web front-end. It looks like the time-based rules are defined in some special place (advgroup_1, advgroup_2, etc.) as I don't see the specific times I've defined when I do "iptables --list".

    Next stop, a good tutorial on iptables, but I'd really prefer to be able to do what I want from the web GUI. :?
    Regards,
    - Mike
     
  7. mikebo

    mikebo Network Guru Member

    OK... it's all working now. Perhaps it just needed some time to ferment. ;)

    The time based rules work better than on my SonicWall, which allows established connections to continue - stopping only new connections. Now, when time's up, all the established connections for the specified IP address are reset - effectively turning off the kids Internet access right on time.

    Thanks for the advice!
    Regards,
    - Mike
     

Share This Page