T2600G-28TS Time Range and ACL
T2600G-28TS Time Range and ACL
Hello all,
I have defined a Time Range in order to inhibit WWW access deep in the night for my kids. System time ist set using ntp with local time zone, time range follows local time.
An ACL with DENY_ALL on all protocols and bound to specific ports works as desired (blocks always).
Now adding the TimeRange to the ACL does not trigger ACL, it seems to be always active. I tested this with my desired time range outside its "active" duty range (the time range is shown properly as "inactive" on the time range definition pane). A cross check with a second "active" time range (replaced in the ACL in question) did not change the behaviour. The ACL acts as if no time range was inserted, i.e. it blocks all the time.
What do I get wrong here?
-Michael
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
After a good nights sleep, let me please restate my assumptions:
- ACLs get evaluated like a queue top-to-bottom, so that the first rule with either a permit or deny decides the fate of a given packet
- cosequently, the finer tuned ACLs need to go up front, the broader ones to the bottom
- with a whitelisting approach, a catch-all deny-all rule must close the queue in order to deny everything not explicitly whitelisted
- this could have been done with an explicit rule, but TP-Link has attached a similar rule invisible/by default
I see the benefit of whitelisting in contrast to blacklisting, as I have more explicit control over what is allowed in terms of direct visibility instead of plugging all thinkable holes with blacklisting. But this implicit rule whitelisting approach is, at least, surprising...
OTOH, a similar blacklisting approach would work without an implicit catch-all, as everything not covered by the rules would be allowd by definition. But handling is more complicated, as exceptions must be very finely tuned without overlapping rules.
I am sure that this information is somewhere hidden in the manual, but I did not have any inclination to search because this comes unexpected.
This also clears up my initial time range problem.
Thanks to you all
Michael
- Copy Link
- Report Inappropriate Content
Mike63 wrote
- ACLs get evaluated like a queue top-to-bottom, so that the first rule with either a permit or deny decides the fate of a given packet
- cosequently, the finer tuned ACLs need to go up front, the broader ones to the bottom
Every firewall, every ACL mechanism and even every single instruction processed by a dumb piece of silicon such as a CPU needs to obey a certain order of evaluation which needs to be defined as a policy somewhere. Even humans do sometimes need a policy which defines order of evaluation, e.g. in the mathematical expression: 4 + 3 × 10.
- with a whitelisting approach, a catch-all deny-all rule must close the queue in order to deny everything not explicitly whitelisted
- this could have been done with an explicit rule, but TP-Link has attached a similar rule invisible/by default
Every switch from any vendor always does this. If there is no explicit rule at the end of a processing chain (no matter what it is), an action must follow. Even if there would be no (explicit or implicit!) action at all, there is a default action, too. And since it is up to the vendor what's the default action is, you should always state it explicitly, so you can use the same logic on any other switch without changing the rules.
Pure logic tells you this:
If a rule matches, it can terminate the set of rules or it can continue to apply more rules. In case of ACLs the policy defines to terminate the processing of the ruleset. If a rule doesn't match, the system continues applying rules. At the end, if no rule has matched, there is an action, too, the default action. »Do nothing« does not mean that the switch does nothing, it is just you who is guessing whether »do nothing« means processing the packet or not processing the packet. Both actions are still actions, you have to tell the switch what to do in order to do »nothing«.
It's even the same with humans: If your kids ask you whether thye are allowed to play games at night, you narrow the time range (allow them nightly gaming only at Sat/Sun and only between 00:00 and 01:00) and you define a default policy for the time period which follows (got to bed), else your kids could say you allowed gaming between 00:00 and 01:00, but you didn't forbid it between 01:00 and XX:YY either. In this case, the word »nur« (only) defines the default policy. Just translate this rules into an ACL and there you are.
My parents once did run crazy when I was told by them that the kid's room lamp has to be turned off at 20:30 and I discovered that a torch under the bedcover is enough to continue reading exciting thrillers while still obeying their rule. :-)
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 3913
Replies: 12
Voters 0
No one has voted for it yet.