Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Send post/get on firewall rule match?

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      willi9999
      last edited by

      is it possible to somehow implement not only a logging action when a firewall rule applies but to start a script or issue a http request?
      currently i am watching network traffic using scapy with python and when the amazon dash button is pressed and tries to contact amazon the script issues a http request to a api.

      as this scapy script is consuming extremely much ressources and as i anyway block the dash button to reach the internet i think about implementing the api call via pfsense.

      of course i could monitor the firewall log with a shell script but this is only my 2nd choice.

      thx

      1 Reply Last reply Reply Quote 0
      • B
        Birke
        last edited by

        afaik you could use an ids like snort or suricata. they can monitor/filter traffic for post/get.

        do the dash buttons get to the api via url or ip?
        if its via url, then you could redirect the dns to localhost.
        if its via ip, then you could block the ip completely.

        but since i guess the dash buttons have a normal ip in the lan, why not block their internet access completely by a firewall rule?

        1 Reply Last reply Reply Quote 0
        • W
          willi9999
          last edited by

          thanks. a ids would be the solution "shell script that monitors the logs". i would really love to have the action triggered by the process which logs or which triggers the log.

          the dash buttons are completely blocked. the buttons just reach out to amazon. the api call has to be made by a script. the script action is triggered by the dash - requests on the lan. see
          https://community.smartthings.com/t/hack-the-amazon-dash-button-to-control-a-smartthings-switch/20427

          1 Reply Last reply Reply Quote 0
          • W
            willi9999
            last edited by

            i have done the following and it works:

            NAT - Port Forward:

            Interface: the interface the dash buttons are on (wifi-net)
            Protocoll: Tcp
            Source Adress: The IP of the Dash button
            Souce Ports: *
            Destination Adress: *
            Destination Ports: 443 (as the dash buttons try to establish a ssl-connection to amazon when pressed)
            Nat IP: The IP of the Computer on the Net which shall receive the info that the dash buttons try to connect to the internet aka have been pressed
            NAT Ports: 4321 (anyone does, no portrange needed, as the buttons only try to connect to :443)
            Corresponding Firewall Rule: Pass

            On the Nat IP-machine I can receive the connection requests using scapy in python:

            from scapy.all import *
            p = sniff(filter="tcp and port 4321", store=0)
            print p[IP].src

            Every Button Press generates 5 requests.

            Problem : Scapy uses a lot of ressources, will take ~30% CPU on a Raspy B.

            Problem2: I didnt manage to use socket  module, as the buttons dont really connect, they just send ssl-syn and receive some multiple acks from the nat-ip.

            Here's what Wireshark shows (running on the Nat-IP machine; *.127 is the dash button, *.125 is the Nat-IP client machine):
            https://ibb.co/hwwi55

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.