Rules don't have to take effect all the time; we can define time ranges during which the rules apply, and the process is even easier than creating rules. Each schedule can have multiple time ranges, and, once defined, it can be applied to a rule. To get started with scheduling, navigate to Firewall | Schedules. There will be a table displaying all the previously created schedule entries; clicking on the Add button below the table allows you to create a new entry.
The Edit page for schedules has two sections: Schedule Information, in which you can configure options, and Configured Ranges, in which the already defined ranges for this rule appear. You must create at least one time range per schedule, although you can create more. The first option on the page is Schedule Name, where you enter the name, which can consist only of letters, numbers, and the underscore character. You may also enter a non-parsed, free-form description in the next field. In the Month drop-down box, you can select the month that will appear in the Date section. Time ranges can consist of individual dates (for example, April 15), or to days of the week (for example, Tuesdays). You can click on an individual date on the calendar to select only that date, or you can click on a weekday header to select all occurrences of that weekday.
Creating a schedule. The schedule entry will apply to all weekdays.
In the Time section, you can select a time range for the days selected on the calendar. The fields are Start Hrs, Start Mins, Stop Hrs, and Stop Mins, and time is in 24-hour time. You can also enter a non-parsed Time range description. When you are done defining a time range, you can click on the Add Time button. Alternatively, you can click on the Clear selection button to clear the selection. Once you click on the Add Time button, the time range should appear in the Configured Ranges section of the page. You can create additional time ranges by selecting the appropriate dates/days of the week and time ranges, adding a description, and clicking the Add Time button again. You can also delete existing ranges by clicking on the Delete button to the right of each entry. When you are done configuring time ranges and editing other options, click on the Save button at the bottom of the page.
To illustrate the process of creating a schedule and using it in a rule, we will create a schedule for lunchtime (Noon-1 PM) and create a rule using this schedule. This will allow us to implement a rule which allows access to Slashdot only during Noon to 1 PM on weekdays. To do this, we perform the following steps:
- Navigate to Firewall | Schedules, and click on the Add button at the bottom of the page.
- Set Schedule Name to LUNCH_TIME and add a brief description.
- On the calendar, select Mon, Tue, Wed, Thu, and Fri by clicking on the top of each column.
- Set the time range in the Time fields to begin at 12:00 and end at 13:00. Enter a brief description (for example, Lunchtime), and click on the Add Time button. Then click on the Save button at the bottom of the page.
- Now that the schedule has been added, we can navigate to Firewall | Rules and add a rule that utilizes it. From the Rules page, we click on the DEVELOPERS tab and click on the Add button that shows an up arrow to the right of Add, to add a rule to the top of the list.
- On the Edit page, we can keep all the options in the Edit Firewall Rule section the same, unless we need to support IPv6 addresses (we will assume we do not have to support such addresses). We set Source to DEVELOPERS net and leave the port options unchanged. We set Source to Single host or alias and enter
216.34.181.45(the Slashdot IP address) in the Source Address field. We can also enter a description for this rule (for example, Allow Slashdot during lunchtime). - To configure scheduling options, we need to click on the Advanced options button. Once we do, the advanced options will appear on the page, and we can scroll down to the Schedule drop-down box. In this box, we can now select the LUNCH_TIME schedule we just created.
- Now we can scroll to the bottom of the page and click on the Save button. Our new rule is now created. We still need to click on the Apply Changes button on the main Rules page to reload the firewall rules.
You may have noticed that we have created a rule to allow access to Slashdot during the lunch hour, but we have not created a rule to block access to Slashdot yet. Thus, with our current ruleset, the new rule has no practical effect, because access to Slashdot was already enabled via the Allow DEVELOPERS to WAN rule. We can easily create a rule to block Slashdot, however, by clicking on the Copy button to the right of the new rule in the table, and creating a new rule based on the previously created rule. We just need to change the Action from Pass to either Block or Reject (Reject is probably the better option), and change the Schedule option so the rule applies at all times. We should also change the Description field to reflect its purpose. After we click on the Save button, a new rule will be created after the Allow Slashdot during lunchtime rule, which is the order we need. Remember, rules are evaluated on a top-down basis, so we want the Block Slashdot rule to come before to the All DEVELOPERS to WAN rule and we want the Allow Slashdot during lunchtime rule to come before both of these rules.