Creating firewall rule via ssh

speatzle_ · Jun 10, 2020, 1:14 PM

Hi, i have been trying to create firewall rules remotely via ssh.
So what i have been doing is:

Connect via ssh and read the /conf/config.xml with cat
Add a new rule to the filter section like this:

<rule>
            <type>pass</type>
            <ipprotocol>ipnet</ipprotocol>
            <descr>remote ssh test description</descr>
            <interface>lan</interface>
            <tracker>1591784472</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>

Upload and Overwrite the current /conf/config.xml file
Delete the /tmp/config.cache file
Reload the config using /etc/rc.filter_configure or /etc/rc.reload_all
This seems to work

For the tracker i have been using the current unix time but i have noticed that autogenerated / special rules have special values there. Are there ranges specified somewhere for these special rules?

Also what is the id element in rules for? It is only there for some rules and the it is also empty
And can i add custom elements and or attributes to rules without them being removed?

skogs · Jun 14, 2020, 5:40 AM

While this is a fine question, this is not the forum for it. This is the development forum for identifying and first stage troubleshooting new versions of pfsense before they are released.

Perhaps you should post in:
https://forum.netgate.com/category/4/firewalling

I'm afraid I test a lot of things, but manually making a rule via text editor is not one of them. ^^ probably better luck on the actual firewall section of the forum.

jimp · Jun 15, 2020, 7:15 PM

@skogs said in Creating firewall rule via ssh:

While this is a fine question, this is not the forum for it. This is the development forum for identifying and first stage troubleshooting new versions of pfsense before they are released.

It actually is the right place. It's not a question about firewalling, but about programming. Which is a form of development.

serbus · Jun 15, 2020, 7:30 PM

Hello!

While I haven't had the need to play with it yet, the interface documented here look pretty cool :

https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html

Maybe you could use it to create rules in the config.

John

jimp · Jun 15, 2020, 7:33 PM

There are existing examples in the code for doing this as well. Start here:

https://github.com/pfsense/pfsense/blob/master/src/usr/local/bin/easyrule
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/easyrule.inc