How to use only my pf ruleset?

kj32

I would like to use only my own pf ruleset on an SG3100, as in

pfctl -f /usr/local/etc/mypf.conf

What is the best way to do that?

Thanks.

kj32

@kj32

System | Advanced | Firewall & NAT | Disable all packet filtering

takes the web configurator firewalling out of the picture, but leaves pf disabled.

Adding pfctl -e to /usr/local/etc/rc.d/local.sh enables pf.

kj32

@kj32

Nope. Oh, it works for a little while, but in an hour or two some process comes along and says "we don't need no pf" and disables pf.

No-one else ever wanted to do this?

Ok, so how do I configure pf rules using tables with the web configurator? I have a compliance requirement to block certain IP addresses, and there are way too many to enter by hand.

Patch

@kj32 said in How to use only my pf ruleset?:

I have a compliance requirement to block certain IP addresses, and there are way too many to enter by hand.

I'm not an expert but I would start with loading the IP addresses into an alias, possibly via a url lookup.

bmeeks

@kj32 said in How to use only my pf ruleset?:

@kj32

Nope. Oh, it works for a little while, but in an hour or two some process comes along and says "we don't need no pf" and disables pf.

No-one else ever wanted to do this?

Ok, so how do I configure pf rules using tables with the web configurator? I have a compliance requirement to block certain IP addresses, and there are way too many to enter by hand.

Start here in the official documentation learning about firewall Aliases: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html. Aliases can become pf tables and be used in rules. You can create several types of Aliases (hosts/networks, port, URL-based, and FQDN). It's a piece of cake to populate aliases from text files via URLs (even local filesystem URLs).

But don't abandon the GUI. That's the heart and soul of administering pfSense. If you simply want to import a big list of IP addresses to use as rule targets, use the Alias feature.

kj32

@bmeeks , @Patch

Thanks, I had not read that section. I appreciate having someone engage on this topic.

URL Table aliases look like they would work to define table-based rules. However, the update mechanism as described in the documentation is somewhat limited, from the perspective of prompt updates based on local data. Perhaps intentionally, to discourage pounding over-worked public service servers.

"For a URL Table alias, the drop-down list after the / controls how many days must pass before the contents of the alias are re-fetched from the stored URL by the firewall. When the time comes, the alias contents will be updated overnight by a script which re-fetches the data."

There is a discussion in this forum thread from 10 years ago about how to trigger the update from the command line. I will try that and see how far I get.

I am perfectly willing to use the GUI for the things it works well for.

johnpoz

@kj32 if all you need is alias to be updated, the pfblocker alias features prob more robust than the built in stuff, and you can set more frequent updates.

I use it to create an alias that pulls info from multiple sources so I can use that alias in my firewall rules. You could have it update once an hour as example

kj32

For future reference on anyone else who wanders by, local filesystem URLs (file://...) do not work for URL tables of IP addresses, at least on SG-3100, 12.05-02-RELEASE. Try http(s)://127.0.0.1/... instead.