PfSense reload pfctl rules

dre2007 · Jul 7, 2018, 3:15 PM

Afternoon,

I am trying to find out how I can apply my changes to the firewall which I made via SSH.
I made an update to one of my firewall rules and need to apply it now.

I read about the command pfctl -f /etc/pf.conf however this file (pf.conf) doesn't seem to exist in the /etc directory on my pfsense server if I do a ls -l in the /etc directory.

Anyone knows how I can find out which filterrules file is currently loaded so I can change the /etc/pf.conf to the correct path?

Many thanks in advance.

André

stephenw10 · Jul 7, 2018, 4:46 PM

The generated ruleset is in /tmp/tules.debug:
https://www.netgate.com/docs/pfsense/firewall/firewall-rule-troubleshooting.html#ruleset-loading

But, how did you make the change to the rules from SSH?
I suspect you may lose those changes.

A better option might be to use the easyrule command:
https://www.netgate.com/docs/pfsense/firewall/adding-rules-with-easyrule.html

Steve

dre2007 · Jul 7, 2018, 5:35 PM

Hi Stephenw10,

Thank you very much for your reply.
will dig into that.

Pehaps I should be more clear, sorry for that.
My purpose is to do the following;
-monitor eventlogs for external logins ( hack attempts ) on a rd gateway server
-Once an IP is hit for more then 10 times in 1 minute automatically setup a putty session and send keystroke with the IP to add the IP to my firewall alias which blocks the bad guy

I was thinking about pfctl -t hackrule and then add the IP.
Once I do a pfctl -t hackrule -T show I noticed the IP but it was not yet loaded and active hence my question in this forum.

Perhaps not the most professional way but I am just wondering how I can apply the new IP in the alias in the fw rule so it is active straight away.
Which command do I need to execute to reload the firewall so the IP is included?

The command "pfctl -f /tmp/rules.debug" didn't do the trick unfortunately.
If I do a pfctl -t hacklog -T show it shows the IP I added.
Once I run pfctl -f /tmp/rules.debug it disappears like I never added it :-(

stephenw10 · Jul 7, 2018, 6:41 PM

Yes, as you found you can't manually change the ruleset as it will be overwritten by the generated rules the next time there is a filter-reload.

A better option here would be to use a URL alias. When you use that in a firewall rule it will pull in the list from an external source. That way you can maintain that list with a script wherever it exists. You would need to trigger a filter reload to update it though.
https://www.netgate.com/docs/pfsense/firewall/aliases.html#url-alias

You might also do that using the pfBlocker package where you can schedule updates for aliases easily.

Steve

dre2007 · Jul 7, 2018, 7:39 PM

Thumbs up :-)

Thanks you are helping me out here.
Don't have the time to logon and verify yet but looks prommising.
If I understand correctly, I can host a txt file with several IP / CIDR ranges which it pulls from the internet and uploads itself.
However, how to I trigger the filter reload with, for example, a cron job?
That is my biggest struggle till now.

Thanks again

stephenw10 · Jul 8, 2018, 3:15 PM

If you use the pfBlocker package you can set the update interval against the custom list.

If you need to trigger the update immediately via a script I believe you can use:
/etc/rc.update_urltables now

Steve

dre2007 · Jul 8, 2018, 3:18 PM

@stephenw10
I had good hope with your command but it doesn't do the trick.
It doesn't give me an error but once I verify in PfSense if the IP alias has been updated with the new added IP it isn't there.
Could it be that the command should be like /etc/rc.update_iptables now since I am using IP addresses?

Ps.: I tried /etc/rc.update_alias_url_data now but that also doesn't do the trick :-( it is not being updated in the GUI when I check the aliasses so I assume it doesn't update the configuration after adding an IP in the alias

stephenw10 · Jul 8, 2018, 4:06 PM

When I run that command I see this in the system logs (reversed):

Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: pfB_Spamhaus does not need updating.
Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: pfB_NAmerica_v4 does not need updating.
Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates
Jul 8 12:30:00 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: Starting up.

Those are url aliases added by pfBlocker that point to lists of IPs.
Do you not see that logged for your custom alias?

Steve