Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Command to regenerate /tmp/rules.debug

    Scheduled Pinned Locked Moved
    Captive Portal
    2
    4
    819
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CPA
      last edited by

      Hello,

      I would like to let ansible (AWX Server) manage a few parts of the pfsense config, eg. add allowed MAC-Addresses to the Captive Portal. I found out that the MACs are written to the config.xml and that the MACs are some kind of anchor in the packet filter. (But I don't know how anchors work in BSD and why there is no MAC in the rules.debug)

      So what I plan to do is to change the config.xml by ansible, regenerate the /tmp/rules.debug-File and reapply this file to the packetfilter.

      Is there a command to force to update the rules.debug-File or a better way?

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @CPA
        last edited by Gertjan

        @cpa
        First things first : what is your pfSense version ?
        Because 2.6.0 still uses ipfw as a first firewall, and pf as the GUI based firewall.
        pfSense Plus 22.05 ditched ipfw, and the portal is now pf-only based.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • C
          CPA
          last edited by

          Sorry,
          I'm using the Version 2.7.0-DEVELOPMENT.

          GertjanG 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @CPA
            last edited by Gertjan

            @cpa said in Command to regenerate /tmp/rules.debug:

            and why there is no MAC in the rules.debug)

            ![f366120c-a5d9-4364-8aca-eb282b157c45-image.png](/assets/uploads/files/1668610461740-f366120c-a5d9-4364-8aca-eb282b157c45-image.png

            and you're right : nothing in the /tmp/rules.debug

            But when I read Troubleshooting Captive Portal you'll find ways to see pf firewall rules :

            pfSsh.php playback pfanchordrill

            shows me :

            .....
cpzoneid_2_passthrumac rules/nat contents:

cpzoneid_2_passthrumac/001122334455 rules/nat contents:
ether pass in quick from 00:11:22:33:44:55 l3 all tag cpzoneid_2_auth dnpipe 2008
ether pass out quick to 00:11:22:33:44:55 l3 all tag cpzoneid_2_auth dnpipe 2009

            @cpa said in Command to regenerate /tmp/rules.debug:

            So what I plan to do is to change the config.xml by ansible, regenerate the /tmp/rules.debug-File and reapply this file to the packetfilter.

            Easy answer : ok to look for solution but forget about using (modifying) "/tmp/rules.debug" yourself.
            This file exists as read only, and can be changed by the system at any time.

            It would work, of course, as most part of the GUI is written in PHP, but : You have to know how pfSense works - and there is no way to short circuit that.
            Adding a MAC to the MAC list of the captive portal isn't rocket science, as you can borrow all the PHP scripts that already exist.
            How to 'flush' the new MAC to the config and applied it to the firewall : you'll find out fast enough, as code writing always starts with a lot of reading (about how the system works).
            pfSense doesn't have an API or something like that.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • First post
              Last post