Add Custom Tables



  • I'm writing a custom script that should import tables into the pfsense firewall.

    Where does pfsense store the tables it uses to enforce rules? sshguard, virusprot, or aliases?

    I have looked through the documentation but cannot seem to find it there. Thank you.



  • Tables? What are you talking about? Do you mean iptables? pfSense uses pf, not iptables.



  • Not ipTables, but the custom tables that pfSense reads to make rules. i.e. I create a custom Alias table called "streaming_services" and add "netflix.com, youtube.com, prime.amazon.com"

    Is there a way for me to interact with these from the FreeBSD by writing a script?



  • Try the pfctl command.


  • Netgate Administrator

    If you use a URL alias in pfSense it will pull in a alias and make a table from it for you.

    Or use pfBlocker to do it for more options. You can probably just use pfBlocker instead of a custom script in fact.

    Steve



  • i think you are looking for this /vat/db/
    note : if you overload the alias table you might faces issues in firewall part. according to pfsense max data store of a alias table is around 1000 ip address . The number might be work please check pfsense book for that.



  • @stephenw10 I see the DNSBL IP section to whitelist or blacklist top level domain names. Would there be a way I can use this to create separate firewall rules that allows split routing? I'm trying to get after having most traffic go out my VPN gateway, but then anything destined for *.netflix.com, *.nflx.net, or *.netflix.video out my WAN interface so that netflix will stop blocking all my traffic. I haven't found a place to define wildcards on any subdomain names to date.

    Thank you.



  • @meaglerick

    Hello
    I don't think this can be implemented by standard PF means. And using aliases for this will not help solve the problem. The TTL value in DNS responses for Netflix servers is very small and there are many Netflix servers, so each DNS server returns a different ip in its responses.
    Netflix uses domains for its work
    netflix.com
    nflxso.net
    nflxvideo.net
    nlfximg.net

    To split the traffic, you can examine the responses from the DNS server and then manually enter data about the networks (not hosts) that Netflix uses into the PF tables. But this list of these networks is constantly updated .

    Or you can write a program that will analyze the responses from the DNS server and put these responses in the PF tables.


  • Netgate Administrator

    Yes, there's no way to do that directly. You can try using the Netflix ASN in pfBlocker to create an alias then use that in a policy routing rule. https://forum.netgate.com/post/848939

    Steve


Log in to reply