A few observations.
1. Like all filters rules order is important. So this time based filter should occur prior to any other filter that would match the same IP addresses. 2. If you have a general filter rule at the end of your outbound set that allows all access then when the time based filter is inactive the general rule will be hit. 3. Typically you need to add a filter right after this time based accept filter that is a deny filter. So that when the accept filter is inactive the deny filter will be matched. So. Accept PRO ALL Timebased Src: 192.168.148.12/32 Dst: 0.0.0.0.0/0 Deny PRO ALL Src: 192.168.12/32 Dst: 0.0.0.0/0 This does work because I limit my kids this way at my home. Paul >I am trying to understand and get my outbound filters to work with time >groups. >As a start I have tried to limit the time that my youngest daughter can >be on the internet. I am using GnatBox light 3.2.2 and set up a time >group called JESS TIME >and have set the times from 07:00 to 21:00 everyday. I have set up an >Address >Objects called JESS_IP and set the IP for her laptop as 192.168.148.18 >and >the IP for her PC as 192.168.148.23. I have set up an Outbound Filter >to: >Interface PRO, Protocol ALL, Type Accept, Time based JESS TIME, Priority > >5 - Notice, Action Log Default, Source JESS_IP, Destination ANY_IP. I >have >logged onto my GnatBox via the GBadmin at 9:30 pm and checked the >reports etc. >and found that one of her IP's is connected to outside IP's. I have gone >to her >room and confirmed that she is "surfing". If I look in the Active >Filters list I see that >her filter shows up with a red star beside marked as an inactive time >based filter. >I would have thought that it should be active and not letting her "out" >when it is past >9:00 pm. I am wondering if I have misconfigured something and it is >letting her >on past her time. Her IP shows up in the Active ARP Table and the Active > >Connections etc. I assume that Outbound Filters are "looked" at in the >order >that they are in the list. Should her filter be at the top of the list, >or does it really >matter when I have other time based filters in the outbound, but they >have specific >IP's for them and none of them are her IP's? > >-- >Randy Bell > >mailto:[EMAIL PROTECTED] > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >To subscribe to the digest version first unsubscribe, then > e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] -- -------------------------------------------------------------------- Paul Emerson Tel: +1.407.380.0220 x1106 Global Technology Associates, Inc. Fax: +1.407.380.6080 3505 Lake Lynda Drive Mobile: +1.407.310.8563 Suite 109 Email: [EMAIL PROTECTED] Orlando, Florida 32817 USA Web: http://www.gta.com Mobile Email: [EMAIL PROTECTED] --------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] To subscribe to the digest version first unsubscribe, then e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
