Creating firewall rule via ssh

speatzle_

Hi, i have been trying to create firewall rules remotely via ssh.
So what i have been doing is:

• Connect via ssh and read the /conf/config.xml with cat
• Add a new rule to the filter section like this:

<rule>
            <type>pass</type>
            <ipprotocol>ipnet</ipprotocol>
            <descr>remote ssh test description</descr>
            <interface>lan</interface>
            <tracker>1591784472</tracker>
            <source>
                <network>lan</network>
            </source>
            <destination>
                <any/>
            </destination>
        </rule>

• Upload and Overwrite the current /conf/config.xml file
• Delete the /tmp/config.cache file
• Reload the config using /etc/rc.filter_configure or /etc/rc.reload_all
  This seems to work

For the tracker i have been using the current unix time but i have noticed that autogenerated / special rules have special values there. Are there ranges specified somewhere for these special rules?

Also what is the id element in rules for? It is only there for some rules and the it is also empty
And can i add custom elements and or attributes to rules without them being removed?

skogs

While this is a fine question, this is not the forum for it. This is the development forum for identifying and first stage troubleshooting new versions of pfsense before they are released.

Perhaps you should post in:
https://forum.netgate.com/category/4/firewalling

I'm afraid I test a lot of things, but manually making a rule via text editor is not one of them. ^^ probably better luck on the actual firewall section of the forum.

jimp

@skogs said in Creating firewall rule via ssh:

While this is a fine question, this is not the forum for it. This is the development forum for identifying and first stage troubleshooting new versions of pfsense before they are released.

It actually is the right place. It's not a question about firewalling, but about programming. Which is a form of development.

serbus

Hello!

While I haven't had the need to play with it yet, the interface documented here look pretty cool :

https://docs.netgate.com/pfsense/en/latest/development/using-the-php-pfsense-shell.html

Maybe you could use it to create rules in the config.

John

jimp

There are existing examples in the code for doing this as well. Start here:

https://github.com/pfsense/pfsense/blob/master/src/usr/local/bin/easyrule
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/easyrule.inc