PfSense reload pfctl rules
-
Afternoon,
I am trying to find out how I can apply my changes to the firewall which I made via SSH.
I made an update to one of my firewall rules and need to apply it now.I read about the command pfctl -f /etc/pf.conf however this file (pf.conf) doesn't seem to exist in the /etc directory on my pfsense server if I do a ls -l in the /etc directory.
Anyone knows how I can find out which filterrules file is currently loaded so I can change the /etc/pf.conf to the correct path?
Many thanks in advance.
André
-
The generated ruleset is in /tmp/tules.debug:
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-troubleshooting.html#ruleset-loadingBut, how did you make the change to the rules from SSH?
I suspect you may lose those changes.A better option might be to use the easyrule command:
https://www.netgate.com/docs/pfsense/firewall/adding-rules-with-easyrule.htmlSteve
-
Hi Stephenw10,
Thank you very much for your reply.
will dig into that.Pehaps I should be more clear, sorry for that.
My purpose is to do the following;
-monitor eventlogs for external logins ( hack attempts ) on a rd gateway server
-Once an IP is hit for more then 10 times in 1 minute automatically setup a putty session and send keystroke with the IP to add the IP to my firewall alias which blocks the bad guyI was thinking about pfctl -t hackrule and then add the IP.
Once I do a pfctl -t hackrule -T show I noticed the IP but it was not yet loaded and active hence my question in this forum.Perhaps not the most professional way but I am just wondering how I can apply the new IP in the alias in the fw rule so it is active straight away.
Which command do I need to execute to reload the firewall so the IP is included?The command "pfctl -f /tmp/rules.debug" didn't do the trick unfortunately.
If I do a pfctl -t hacklog -T show it shows the IP I added.
Once I run pfctl -f /tmp/rules.debug it disappears like I never added it :-( -
Yes, as you found you can't manually change the ruleset as it will be overwritten by the generated rules the next time there is a filter-reload.
A better option here would be to use a URL alias. When you use that in a firewall rule it will pull in the list from an external source. That way you can maintain that list with a script wherever it exists. You would need to trigger a filter reload to update it though.
https://www.netgate.com/docs/pfsense/firewall/aliases.html#url-aliasYou might also do that using the pfBlocker package where you can schedule updates for aliases easily.
Steve
-
Thumbs up :-)
Thanks you are helping me out here.
Don't have the time to logon and verify yet but looks prommising.
If I understand correctly, I can host a txt file with several IP / CIDR ranges which it pulls from the internet and uploads itself.
However, how to I trigger the filter reload with, for example, a cron job?
That is my biggest struggle till now.Thanks again
-
If you use the pfBlocker package you can set the update interval against the custom list.
If you need to trigger the update immediately via a script I believe you can use:
/etc/rc.update_urltables nowSteve
-
@stephenw10
I had good hope with your command but it doesn't do the trick.
It doesn't give me an error but once I verify in PfSense if the IP alias has been updated with the new added IP it isn't there.
Could it be that the command should be like /etc/rc.update_iptables now since I am using IP addresses?Ps.: I tried /etc/rc.update_alias_url_data now but that also doesn't do the trick :-( it is not being updated in the GUI when I check the aliasses so I assume it doesn't update the configuration after adding an IP in the alias
-
When I run that command I see this in the system logs (reversed):
Jul 8 12:30:23 php-cgi rc.update_urltables: /etc/rc.update_urltables: pfB_Spamhaus does not need updating. Jul 8 12:30:23 php-cgi rc.update_urltables: /etc/rc.update_urltables: pfB_NAmerica_v4 does not need updating. Jul 8 12:30:23 php-cgi rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates Jul 8 12:30:00 php-cgi rc.update_urltables: /etc/rc.update_urltables: Starting up.Those are url aliases added by pfBlocker that point to lists of IPs.
Do you not see that logged for your custom alias?Steve
