Is there anyone using this feature at all?
My case blocking for internet access for a time schedule like that (MAC based restriction)
config 'restriction_rule' 'rule_1'
option 'is_ingress' '0'
option 'description' 'Test'
option 'local_addr' '00:13:02:56:XX:XX' <-- one MAC; only ..hosts option
option 'active_weekdays' 'sun'
option 'active_hours' '21:30-05:00'
option 'enabled' '1'
Reload firewall after saving change; firewall restart (or reboot)
It doesn't work at all.
If restriction is enabled all computers are blocked for internet. So any idea do you have to resolve the problem? Is it a bug in fw?
Bugs: Parental Control/ Firewall Restriction
Moderator: Moderators
Bugs: Parental Control/ Firewall Restriction
Last edited by behappy on Mon Apr 04, 2011 8:04 pm, edited 3 times in total.
Re: Parental Control/ Firewall Restriction
I use this feature.
I have fixed ip_address ranges for each member of the family (groups of 10 for ease of remembering which range belongs to whom: plug for named ranges request). I have time restrictions set for my older child's ip_address range, and a different time restriction set for the two younger one's ranges. I suspect you are right about a bug with this feature. My setup used to be just as described above, but since 1.3.10 I had to add an exception rule for the other ranges I did not want to be time limited. I mentioned this here, but apart from pbix replying that he didn't think there had been any new changes, I didn't get any other feedback.
Your post reminded me that I need to check that the restrictions are working correctly, and not just restricting everything not explicitly allowed from the earliest restriction time through to the latest (ie that my older child retains access between start of the younger ones' restriction, until the onset of the second restriction). I will check tonight, and report back.
Also, when I went to check my setup, I discovered that the GUI shortcuts to the relevant scripts seem to have disappeared from the Firewall section where they used to live, but can still be accessed by manually specifying in the URL, after the ip address of the router. I have reported this on the main 1.3.13 thread here.
Ian
I have fixed ip_address ranges for each member of the family (groups of 10 for ease of remembering which range belongs to whom: plug for named ranges request). I have time restrictions set for my older child's ip_address range, and a different time restriction set for the two younger one's ranges. I suspect you are right about a bug with this feature. My setup used to be just as described above, but since 1.3.10 I had to add an exception rule for the other ranges I did not want to be time limited. I mentioned this here, but apart from pbix replying that he didn't think there had been any new changes, I didn't get any other feedback.
Your post reminded me that I need to check that the restrictions are working correctly, and not just restricting everything not explicitly allowed from the earliest restriction time through to the latest (ie that my older child retains access between start of the younger ones' restriction, until the onset of the second restriction). I will check tonight, and report back.
Also, when I went to check my setup, I discovered that the GUI shortcuts to the relevant scripts seem to have disappeared from the Firewall section where they used to live, but can still be accessed by manually specifying in the URL, after the ip address of the router. I have reported this on the main 1.3.13 thread here.
Ian
Buffalo WZR-HP-G300NH = Gargoyle 1.5.3
Linksys WRT54GL v1.2 = Gargoyle 1.3.13
SMC Barricade SMC2804WBRP-G = SMC firmware v2.08
Linksys WRT54GL v1.2 = Gargoyle 1.3.13
SMC Barricade SMC2804WBRP-G = SMC firmware v2.08
Parental Control/ Firewall Restriction
Hopefully the development team checks out this thread, because this is one of my main reasons to shift over to gargoyle fw.
Which iptables chains I must check those active rules, perhaps just a flags or missing packages related to it. Thanks.
EDIT: I used a couple of hours to test it thoroughly yesterday and the result was negative. But today same test case all work flawlessly without any hiccup
.
Case closed. Superb firmware. Thanks Eric and the crew.
Firewall w. Parental Restriction
Chain egress_restrictions (1 references)
target prot opt source destination
egress_whitelist all -- 0.0.0.0/0 0.0.0.0/0
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK xset 0x8000000/0xff000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 MAC 00:13:02:56:XX:XX CONNMARK or 0x8000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 MAC 00:1E:52:A1:XX:XX CONNMARK or 0x8000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 timerange --hours 0-19800,77400-86400 --weekdays 1,1,1,1,1,1,0 CONNMARK or 0x40000000
REJECT all -- 0.0.0.0/0 0.0.0.0/0 connmark match 0x48000000/0xff000000 reject-with icmp-port-unreachable
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK and 0xffffff
EDIT2: Unfortunately I can reproduce the bug again
- Set the restriction rules and save. All ok
- Reboot the router. All ok
- Using command fw restart or reload from Terminal and the restriction rules are inactive and the result is NO restriction.
I can confirm if using fw reload or fw restart the whole firewall chain of egress rules is deleted and never recreated back. I believe the default fw restart script doesn't include gargoyle_firewall_util.sh script as part of it.
So guys, as temporary solution just press the SAVE button (from restriction menu) or reboot the router to get those rules again.
EDIT3: Restriction rule can only handle one specific MAC, adding multiple MAC addresses in the same rule reverse it to none restriction.
Which iptables chains I must check those active rules, perhaps just a flags or missing packages related to it. Thanks.
EDIT: I used a couple of hours to test it thoroughly yesterday and the result was negative. But today same test case all work flawlessly without any hiccup
.Case closed. Superb firmware. Thanks Eric and the crew.
Firewall w. Parental Restriction
Chain egress_restrictions (1 references)
target prot opt source destination
egress_whitelist all -- 0.0.0.0/0 0.0.0.0/0
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK xset 0x8000000/0xff000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 MAC 00:13:02:56:XX:XX CONNMARK or 0x8000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 MAC 00:1E:52:A1:XX:XX CONNMARK or 0x8000000
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 timerange --hours 0-19800,77400-86400 --weekdays 1,1,1,1,1,1,0 CONNMARK or 0x40000000
REJECT all -- 0.0.0.0/0 0.0.0.0/0 connmark match 0x48000000/0xff000000 reject-with icmp-port-unreachable
CONNMARK all -- 0.0.0.0/0 0.0.0.0/0 CONNMARK and 0xffffff
EDIT2: Unfortunately I can reproduce the bug again
- Set the restriction rules and save. All ok
- Reboot the router. All ok
- Using command fw restart or reload from Terminal and the restriction rules are inactive and the result is NO restriction.
I can confirm if using fw reload or fw restart the whole firewall chain of egress rules is deleted and never recreated back. I believe the default fw restart script doesn't include gargoyle_firewall_util.sh script as part of it.
So guys, as temporary solution just press the SAVE button (from restriction menu) or reboot the router to get those rules again.
EDIT3: Restriction rule can only handle one specific MAC, adding multiple MAC addresses in the same rule reverse it to none restriction.