Time based network access control on OpenBSD


Time based ACL (access control lists) features do not exist in BSD’s packet filter (PF). Having your network “shut down” at certain times (for instance, allow certain network ranges or specific IP addresses only during “business hours” or a specific time range), can be achieved with a simple PF table and a cronjob.

First, let’s set up the PF table which will control the traffic. Add the following to your /etc/pf.conf :

# add time block table
table <time_block> { } persist

Next, create a PF rule which block traffic for all entries in the time_block table:

# block all CIDR addresses in the time block table
block in quick log from <time_block> to any

Since the time_block table is still empty, no traffic is actually blocked.

The last thing to implement, is periodically manipulating the time_block table. This could be done by creating two cronjobs:

  1. allow traffic at the beginning of “business hours”
  2. block traffic at the end of “business hours”
crontab -e
# Allow traffic
0 7 * * * /usr/local/scripts/allow_employees.sh > /dev/null 2>&1
# Block traffic
0 17 * * * /usr/local/scripts/block_employees.sh > /dev/null 2>&1

The allow_employees.sh script will allow certain network ranges by ensuring those are removed from the time_block table:


/sbin/pfctl -Td -t time_block
/sbin/pfctl -Td -t time_block

The block_employees.sh script will do the exact opposite: it will add ranges to the time_block table so that their network access will be blocked by the firewall:


/sbin/pfctl -Ta -t time_block
/sbin/pfctl -Ta -t time_block

Finally deploy your new PF rules (first test them!)

pfctl -nf /etc/pf.conf
pfctl -f /etc/pf.conf
Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Previous Post

Block countries on OpenBSD using pf

Next Post

Terraform: Create a map of subnet IDs in Azure

Related Posts