Toggle rules or rulesets via php or perl?



  • A customer asks me for the possibility to somehow build some simplified webGUI to toggle firewall rules or rulesets:

    for example: allow the TV-set to access internet (nanny should be able to click that one red button, but not be allowed to access pfsense itself)

    Ideally he would like to be able to integrate that into his FHEM-based (https://fhem.de/) home automation setup.

    Is there a way to do that?



  • Hi,

    Short answer : noop.
    As far as I know, there is no API.

    But : you said "client", so maybe : yes ;)

    If "php" doesn't scare you, have a look at this GUI page : Diagnostics => Backup & Restore  => Backup & Restore and checkout the  restore part, on the bottom of the page.
    Done that, see this file : /usr/local/www/diag_backup.php

    You mission : throw out all the backup stuff, most pf the "restore" stuff, hard-lock the restore part to "firewall rules" - no need to chose the file, write to identical functions, one with the "all the  firewall rules and the rule that stops the tv" file hard coded  and another one, "all the  firewall rules and the rule that enables the tv" file hard coded.
    These two firewall rule files are easy to generate : make them yourself with the "export" or "backup" function (chose "firewall" only).

    Up to you to make a stand alone page - or, have it integrated into the GUI. Two huge buttons and done.

    The good news is that pfSense does not need to be restarted when a firewall rules change, but double check that 'states' are flushed.

    Btw : Check : You probably have to reload all the firewall rules for all the interfaces.





  • oh, that sounds way too scary to me!
    I simply look for the equivalent of scripting the click on the checkbox on the page "Firewall Rules" : enable/disable one rule





  • @sgw:

    @Grimson:

    https://doc.pfsense.org/index.php/Adding_Rules_With_easyrule

    This isn't the requested functionality.

    From the above:

    The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader.

    So start working and earn that money from your client.



  • @Grimson:

    From the above:

    The source code of those scripts can be adapted for adding firewall rules in other ways, but that is left as an exercise for the reader.

    So start working and earn that money from your client.

    I now took a closer look, yes, that might help! Thanks!