How to assign users to rules ?



  • Hello,

    I know that normally it is not possible to assign a user to a specific rule, but there are also other ways.
    I heard that it should work when I use a script (that script already enables/disables rules) that reads the username and the ip-address of the user when he logs in on his computer and then the script compares the ip-address with a database where all ip-adresses of the users are. Then the script simply adds the ip-address for example in a rule that blocks internet access.
    So my question is if there are also other ways like that beacause I need to compare them.

    Thanks in advance


  • Banned

    I'm not sure I understand exactly? This sounds either (possibly) really easy or pretty advanced.

    A script that compares a users IP to a list of IP's just sounds like a static IP identifying a computer among the available pool.

    • If you have a fairly small network then this is probably best done by assigning static IP's to the computers you want to write the rule for, then  create an alias including the IP's you want to write the rule for and write the rule(s) using the alias(es).

    • If your network is large or frequently adds/removes computers/MAC addresses then static IP's are probably not convenient. In this case maybe you could place the users in question on their own subnet?

    Or maybe you meant that the script contains lists of static IP's assigned to all of the devices a specific user accesses the network with?

    You mentioned user logins though, if you only want this rule to fire if specific user(s) log on to the computer(s), then that sounds either not possible on pfSense or at least pretty advanced. Maybe with Captive Portal?  But the context made it sounds like which user logs onto a computer, not onto the network?



  • Sorry if it's no very clear.
    I have to do a project in school  and the purpose of the project is to setup a pf sense firewall for the school and then compare if pfsense is better then the current microsoft firewall.

    In the background is an active directory domain controller where all users listed.
    For example a teacher can give the class internet access (normally blocked) via a APSx site and the script then disables the block rule wich gives the students of the class internet access.
    When a student logs on to a school computer a script writes his ip address and the username in a database.
    Then the script wich enables/disables the rules looks into the database and compares if the new logged on student is from a class with enabled internet acces and if it so then the script adds the ip address to the rule.

    I am new to pfsense and sorry if it is still unclear


  • Banned

    Cool project!

    What you're describing isn't something that pfSense does natively or with any packages currently available.

    You can however write scripts for pfSense and it has a lot of tools at your disposal especially with its packages (snort/suricata for IDS/IPS, pfBlockerNG & DNSBL w/ TLD, squid, etc.)

    Please let us know the outcome of your project!



  • The PF packet filter doesn't know about users on any other level than the local UNIX users on the pfSense system and only the traffic initiated on the firewall/router itself can be filtered by the user/group initiating the traffic. Traffic that is forwarded from any direction trough the pfSense router has no user identification information attached and can't be assigned to a user.



  • Thnak you pfBasic i will  :)

    Does that mean that there is no way (even with scripting) that you can assign a user to a rule ? 
    Because it is a very important part of the project.


  • Rebel Alliance Global Moderator

    If your goal is to block internet access via a user, why would you not just use a proxy - which can for sure identify user from AD.

    You want to compare this to a microsoft firewall? Do you mean ISA??  Which is a proxy.. Or their newer version TMG.. Again proxy and both EOL.. So yeah pretty much anything would be better than no longer supported end of life products ;)



  • take a look at nxfilter



  • Yeah currently the school has a Forefront TMG (ISA).

    By default the internet acces for all students is blocked. The teacher can go to a website and then just selects the class (and the amount of time) he wants to give the class internet access.
    Is this possible with a squid proxy ?


  • Rebel Alliance Global Moderator

    Sure that would be possible with a squid proxy..

    I am not sure if in the pfsense doc/how-to repository.. But a simple google finds this should get you started atleast
    http://aafikry.web.id/index.php/2016/06/22/how-to-setting-squid-on-pfsense-2-3-with-authentiaction-ldap-windows/

    I have not by any means validated the info in that link will work or is correct, but atleast it is less than a year old and lists pfsense 2.3 ;)  And its title is exactly what your looking to do.



  • Thank you johnpoz I think it will work like this  :)