PfSense reload pfctl rules

  • Afternoon,

    I am trying to find out how I can apply my changes to the firewall which I made via SSH.
    I made an update to one of my firewall rules and need to apply it now.

    I read about the command pfctl -f /etc/pf.conf however this file (pf.conf) doesn't seem to exist in the /etc directory on my pfsense server if I do a ls -l in the /etc directory.

    Anyone knows how I can find out which filterrules file is currently loaded so I can change the /etc/pf.conf to the correct path?

    Many thanks in advance.


  • Netgate Administrator

    The generated ruleset is in /tmp/tules.debug:

    But, how did you make the change to the rules from SSH?
    I suspect you may lose those changes.

    A better option might be to use the easyrule command:


  • Hi Stephenw10,

    Thank you very much for your reply.
    will dig into that.

    Pehaps I should be more clear, sorry for that.
    My purpose is to do the following;
    -monitor eventlogs for external logins ( hack attempts ) on a rd gateway server
    -Once an IP is hit for more then 10 times in 1 minute automatically setup a putty session and send keystroke with the IP to add the IP to my firewall alias which blocks the bad guy

    I was thinking about pfctl -t hackrule and then add the IP.
    Once I do a pfctl -t hackrule -T show I noticed the IP but it was not yet loaded and active hence my question in this forum.

    Perhaps not the most professional way but I am just wondering how I can apply the new IP in the alias in the fw rule so it is active straight away.
    Which command do I need to execute to reload the firewall so the IP is included?

    The command "pfctl -f /tmp/rules.debug" didn't do the trick unfortunately.
    If I do a pfctl -t hacklog -T show it shows the IP I added.
    Once I run pfctl -f /tmp/rules.debug it disappears like I never added it :-(

  • Netgate Administrator

    Yes, as you found you can't manually change the ruleset as it will be overwritten by the generated rules the next time there is a filter-reload.

    A better option here would be to use a URL alias. When you use that in a firewall rule it will pull in the list from an external source. That way you can maintain that list with a script wherever it exists. You would need to trigger a filter reload to update it though.

    You might also do that using the pfBlocker package where you can schedule updates for aliases easily.


  • Thumbs up :-)

    Thanks you are helping me out here.
    Don't have the time to logon and verify yet but looks prommising.
    If I understand correctly, I can host a txt file with several IP / CIDR ranges which it pulls from the internet and uploads itself.
    However, how to I trigger the filter reload with, for example, a cron job?
    That is my biggest struggle till now.

    Thanks again

  • Netgate Administrator

    If you use the pfBlocker package you can set the update interval against the custom list.

    If you need to trigger the update immediately via a script I believe you can use:
    /etc/rc.update_urltables now


  • @stephenw10
    I had good hope with your command but it doesn't do the trick.
    It doesn't give me an error but once I verify in PfSense if the IP alias has been updated with the new added IP it isn't there.
    Could it be that the command should be like /etc/rc.update_iptables now since I am using IP addresses?

    Ps.: I tried /etc/rc.update_alias_url_data now but that also doesn't do the trick :-( it is not being updated in the GUI when I check the aliasses so I assume it doesn't update the configuration after adding an IP in the alias

  • Netgate Administrator

    When I run that command I see this in the system logs (reversed):

    Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: pfB_Spamhaus does not need updating.
    Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: pfB_NAmerica_v4 does not need updating.
    Jul 8 12:30:23 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: Starting URL table alias updates
    Jul 8 12:30:00 	php-cgi 		rc.update_urltables: /etc/rc.update_urltables: Starting up. 

    Those are url aliases added by pfBlocker that point to lists of IPs.
    Do you not see that logged for your custom alias?


Log in to reply