Use aliases from commandline? (pfctl)



  • I am fiddling around with a custom script to kill states for VOIP traffic to a specific provider's network.  This is my attempt to fix one-way audio issues after multi-WAN failover.  The script will use pfctl to kill states and there are 5-6 CIDR notated networks that I need to reset.  To simplify the script I would like to just reference the alias that I have set up in the gui.

    Is this possible?  something like

    pfctl -k <voip_vlan_cidr>-k <alias_of_voip_provider_nets></alias_of_voip_provider_nets></voip_vlan_cidr> 
    

    Much appreciated



  • Another thing I noticed is that Aliases set up in the "Aliases > IP > Type: Network(s)" section do not show up in

    pfctl -t <aliasname> -T show</aliasname>
    

    Is there some other way to get the values stored in those aliases via script without scraping XML?


  • Moderator

    Change the alias type to URL alias.



  • Thanks BB-  but if I do this doesn't that mean it has to fetch from somewhere?  I don't want any external dependencies.  So would I just put a txt file on the local filesystem and then set the URL to http://localhost/whatever.txt?  ???


  • Moderator

    @luckman212:

    Thanks BB-  but if I do this doesn't that mean it has to fetch from somewhere?  I don't want any external dependencies.  So would I just put a txt file on the local filesystem and then set the URL to http://localhost/whatever.txt?  ???

    You can save the file to your pfSense box  in  /usr/local/www

    then add  http://localhost/whatever.txt

    But the pfSense code has cURL SSL verification checks… so it doesn't accept local issued certs... So it might fail to download..

    You can add the following

    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    

    to /etc/inc/pfsense-utils.inc  to  function download_file()

    But thats not a great solution for obvious reasons… So if you can save the file to a local web server, it will then create a file in /var/db/aliastables  (Another option is to create a Github account and create a private gist that you can link to). Or use the pfBlockerNG package, and create a new alias with "Alias Native" and enter the IPs into the custom input box to create the aliastable for you.



  • Hmm thank you for your help and advice on this.  None of these are perfect solutions but I will play around.  I think I may wind up trying to make my own package for this.



  • I think I found an interesting way to use aliases and keep things mainly in the GUI.  Would like to hear comments on if this is ok-

    1. create alias of type "Network" - e.g. name it "VOIP_nets" and enter in my CIDR nets
    2. create a firewall rule on LAN interface (move to the top of the list) - the rule should be a "pass" rule to destination where alias=VOIP_nets (plus any other criteria you want, traffic type, port etc)
    3. for the "Description" field of this rule, name it something short and easy with no spaces e.g. "killstates"
    4. now send some traffic and confirm via the counters that our rule is matching these connections
    5. when I tried the command below, it correctly matched the states and killed the traffic….

    pfctl -k label -k "USER_RULE: killstates"
    

    is this valid??


Log in to reply