On Fri, Jan 28, 2005 at 02:29:36PM +0530, Siju George wrote:
> I would like to know if there is any plan among PF developers to add
> the feature to filter traffic based on time.
I don't think so. There's an endless number of criteria outside of
packet contents that someone finds useful to filter on in some case,
like CPU load, memory usage, disk usage, geographic location delivered
by a GPS receiver, existance of some process, etc.
Instead of cluttering the syntax with more and more (obscure) keywords,
the better approach seems to be to explain how do this in a generic way,
see below.
> I mean a way by which I can pass traffic during a particular time
> period by a rule like
>
> pass in on $ext_if proto tcp from any to $comp3 port 80 \
> time 05:00 >< 06:00 \
> flags S/SA synproxy state
>
> May I also know from all who read this how this type of filtering is
> implemented with OpenBSD presently?
You can add an anchor to your main ruleset. Put all rules that are not
dependant on time in the main ruleset, and call the anchor from there,
like:
pf.conf
ext_if="fxp0"
block all
pass quick on lo0
pass in on $ext_if proto tcp to port ssh keep state
...
anchor "time"
Put the rules that should only be active from 05:00 to 06:00 into a
separate file, like
pf.conf.05to06
ext_if="fxp0"
pass in on $ext_if proto tcp to any port 80 keep state
Add two cron(8) jobs:
every day at 05:00, pfctl -a time -f /etc/pf.conf.05to06
every day at 06:00, pfctl -a time -Fr
That's it. If you have many different rules for different time ranges,
you could write a shell script that provides the list of rules to use
at the current time, then from cron
every hour: script | pfctl -a time -f -
The main ruleset is not affected by this, you can edit and reload
pf.conf at any time without destroying the current contents of the
anchor.
Daniel
