Add Custom Tables

meaglerick · Nov 11, 2019, 5:48 PM

I'm writing a custom script that should import tables into the pfsense firewall.

Where does pfsense store the tables it uses to enforce rules? sshguard, virusprot, or aliases?

I have looked through the documentation but cannot seem to find it there. Thank you.

KOM · Nov 11, 2019, 6:34 PM

Tables? What are you talking about? Do you mean iptables? pfSense uses pf, not iptables.

meaglerick · Nov 11, 2019, 6:38 PM

Not ipTables, but the custom tables that pfSense reads to make rules. i.e. I create a custom Alias table called "streaming_services" and add "netflix.com, youtube.com, prime.amazon.com"

Is there a way for me to interact with these from the FreeBSD by writing a script?

KOM · Nov 11, 2019, 6:43 PM

Try the pfctl command.

stephenw10 · Nov 17, 2019, 2:36 AM

If you use a URL alias in pfSense it will pull in a alias and make a table from it for you.

Or use pfBlocker to do it for more options. You can probably just use pfBlocker instead of a custom script in fact.

Steve

sabinlal28 · Nov 15, 2019, 10:42 AM

i think you are looking for this /vat/db/
note : if you overload the alias table you might faces issues in firewall part. according to pfsense max data store of a alias table is around 1000 ip address . The number might be work please check pfsense book for that.

meaglerick · Nov 17, 2019, 2:36 AM

@stephenw10 I see the DNSBL IP section to whitelist or blacklist top level domain names. Would there be a way I can use this to create separate firewall rules that allows split routing? I'm trying to get after having most traffic go out my VPN gateway, but then anything destined for *.netflix.com, *.nflx.net, or *.netflix.video out my WAN interface so that netflix will stop blocking all my traffic. I haven't found a place to define wildcards on any subdomain names to date.

Thank you.

Konstanti · Nov 17, 2019, 7:14 AM

@meaglerick

Hello
I don't think this can be implemented by standard PF means. And using aliases for this will not help solve the problem. The TTL value in DNS responses for Netflix servers is very small and there are many Netflix servers, so each DNS server returns a different ip in its responses.
Netflix uses domains for its work
netflix.com
nflxso.net
nflxvideo.net
nlfximg.net

To split the traffic, you can examine the responses from the DNS server and then manually enter data about the networks (not hosts) that Netflix uses into the PF tables. But this list of these networks is constantly updated .

Or you can write a program that will analyze the responses from the DNS server and put these responses in the PF tables.

stephenw10 · Nov 17, 2019, 11:32 AM

Yes, there's no way to do that directly. You can try using the Netflix ASN in pfBlocker to create an alias then use that in a policy routing rule. https://forum.netgate.com/post/848939

Steve