Closing current connections based on ip address?

i want to limit the times that a client computer can access the red network. i did this by setting a firewall rule based on ip address to block access to red network and set the days and times of day. it works.

while reading up on this, i saw that connections that are open at the time the firewall rule becomes effective each day still allow traffic to flow. net new connections are not allowed, of course.

is there a way to close all connections at a specified time (to coincide with when the firewall rule kicks in) for a given client? this would result in a hard stop to red access for everything on the given client, which is what i am ultimately after.

The only thing I would know to do.
Is a scheduled reboot after rule to stop traffic is enabled.
Block traffic at 9
Reboot at 9:05

can’t reboot the firewall. i have thought of forcing logout of the client.

An option might be to run the following command from an fcron job

/etc/rc.d/init.d/firewall restart

Just set the fcron command to run a minute or two after the firewall rule change.

I think that restarting the firewall should start all connections from fresh but I am not 100% sure. You would need to test it out and see.

If it does work then you would want to define a new user that would own a separate frcontab so that the addition is not removed in an Core Update that contains a change to fcrontab.

The following documentation page gives details on doing that.
https://www.ipfire.org/docs/pkgs/fcron

2 Likes

From my experience on another distro, established connections survived a firewall restart. I had to use the conntrack command to flush existing connections.

2 Likes

Nick - I saw the conntrack --help and I see the -F to flush the table…

Can you add the arguments you used for [table]?

[root@ipfireAPU2 ~]# conntrack --help
Command line interface for the connection tracking system. Version 1.4.7
Usage: conntrack [commands] [options]

Commands:
  -L [table] [options]		List conntrack or expectation table
  -G [table] parameters		Get conntrack or expectation
  -D [table] parameters		Delete conntrack or expectation
  -I [table] parameters		Create a conntrack or expectation
  -U [table] parameters		Update a conntrack
  -E [table] [options]		Show events
  -F [table]			    Flush table
  -C [table]			    Show counter
  -S				        Show statistics
. . .

Have a look at chapter 5 at The conntrack-tools user manual (it is short).

I did not find anything related to “conntrack command to flush existing connections”

That allows you to be selective. conntrack -F resets the whole table and is a bit brutal…

1 Like

Ahhh! (lightbulb came on!) Deleting established connection(s) makes sense!

Hi all,
it should also be possible to kill specific connections via ss if the kernel has been compiled with CONFIG_INET_DIAG_DESTROY . By checking it on IPFire via

$ grep CONFIG_INET_DIAG_DESTROY /boot/config-6.6.15-ipfire
CONFIG_INET_DIAG_DESTROY=y

it looks good and should work.

Examples:
To check which connection should be killed, netstat can be helpful e.g. →
netstat -nap | grep ESTABLISHED
with an example output for an SSH connection to IPFire

tcp        0     36 192.168.7.1:222        192.168.7.2:45512      ESTABLISHED 25541/sshd: root@pt

. To kill the SSH connection via destination IP and destination port the following command was used →
ss --kill dst 192.168.7.2 dport = 45512
possible output of ss

Netid      State      Recv-Q       Send-Q             Local Address:Port              Peer Address:Port       
tcp        ESTAB      0            0                    192.168.7.1:222             192.168.7.2:45512

Since ss is part of the iproute2 package, it is part of IPFires core system. As another idea.

Best,

Erik

2 Likes