Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Non-web based way to enable/disable rules or modify aliases?

    Scheduled Pinned Locked Moved Firewalling
    13 Posts 6 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      JS50
      last edited by

      Hi all.

      I fear that I already know the answer to what I'm about to ask...

      Is there a way to enable and disable rules from the command line or some non-web mechanism?

      I've been searching for an answer to this, and I'm finding either (1) answers that don't really address this, or (2) unanswered queries. Some of the queries/requests date back ~10 years, so some of the suggestions for those don't seem to apply anymore since pfSense has changed over the years. I'm hoping that there now is a (relative) easy non-web way of enabling/disabling rules or aliases.

      Thanks.

      S 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by bmeeks

        No, you can't dynamically add or remove specific rules. You could dump the existing rules to a file, alter or edit the file to add or remove rules, and then reload the new set of rules by loading the modified file into pf again. But that is not an easy thing to script.

        Here is a link to the FreeBSD forum where this question was asked: https://forums.freebsd.org/threads/pfctl-dynamically-add-and-remove-rules-from-commandline.66441/.

        And here is the official documentation for the pfctl utility that you use from the command line to manage the pf firewall: https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8.

        You can dynamically add or remove specific IP addresses or subnets from tables in pf. So you could construct an alias table in pfSense, and then add or remove IP addresses to control access by hosts matching those IP addresses. You do that using the pfctl utility.

        Even within the pfSense GUI, you are not actually managing the pf rules one-by-one. Instead, the edits you make in the GUI are written into the config.xml file on the firewall, then the pf engine is reloaded by writing the config info to a file and loading that file into pf. That's why at the end of the rules editing process in the GUI you get a prompt to "apply changes". When you click Apply there, the file of edited rules is written and then loaded into pf.

        J 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @JS50
          last edited by

          @js50 You can use a URL alias to pull a file off a web server.

          There are time-based rules.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          J 1 Reply Last reply Reply Quote 0
          • J
            JS50 @bmeeks
            last edited by

            @bmeeks - Thanks. Yeah, I was looking into some of this and playing around with pfctl last night, but I'm still not 100% clear of the interaction between pfSense, pfctl, iptables, etc.

            Also, I was trying to make a distinction between "enable/disable" and "add/remove" because in the pfSense GUI you can see rules that are "disabled". When I dump the firewall rules, I (understandably) do not see those rules listed. However, those rules must exist somewhere as pfSense knows about them and knows that they are disabled.

            From what you are saying, it sounds like pfSense maintains its own copy of the rules, and those are stored in config.xml. I would be happy to write a program that would modify the rules in config.xml (e.g., change a rule from enabled to disabled) then somehow kick pfSense to reload the rules from config.xml and apply them to the firewall (do the same thing that the "Apply" button on the GUI does). I'm just not sure how to do this last part.

            Does this make sense?

            bmeeksB 1 Reply Last reply Reply Quote 0
            • J
              JS50 @SteveITS
              last edited by

              @steveits - Yeah, I'm aware of the time-based rules, but for my situation I need to enable/disable rules upon demand. Thanks for the idea, though. :-)

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @JS50
                last edited by bmeeks

                @js50 said in Non-web based way to enable/disable rules or modify aliases?:

                @bmeeks - Thanks. Yeah, I was looking into some of this and playing around with pfctl last night, but I'm still not 100% clear of the interaction between pfSense, pfctl, iptables, etc.

                Also, I was trying to make a distinction between "enable/disable" and "add/remove" because in the pfSense GUI you can see rules that are "disabled". When I dump the firewall rules, I (understandably) do not see those rules listed. However, those rules must exist somewhere as pfSense knows about them and knows that they are disabled.

                From what you are saying, it sounds like pfSense maintains its own copy of the rules, and those are stored in config.xml. I would be happy to write a program that would modify the rules in config.xml (e.g., change a rule from enabled to disabled) then somehow kick pfSense to reload the rules from config.xml and apply them to the firewall (do the same thing that the "Apply" button on the GUI does). I'm just not sure how to do this last part.

                Does this make sense?

                pfSense is fundamentally a PHP GUI that runs on top of a customized FreeBSD operating system. It stores EVERYTHING as XML data inside a file called config.xml which is stored in /conf on the firewall.

                Firewall rules, interface configurations, installed packages, defined users, configured IPSEC and OpenVPN tunnels and everything else is stored in the config.xml file. So when you are manipulating rules in the GUI, your changes are getting stored as XML data in the config.xml file in /conf. Then, when you "apply changes" after saving firewall rule edits, the "active" rules (those you did not disable) are written to a file in /tmp and then that file is passed to the pfctl utility as the rules input to load.

                There is no iptables in FreeBSD (nor in pfSense). The two firewall engines used on FreeBSD are pf and ipfw. On pfSense, pf is the main firewall engine and ipfw is used to support the captive portal functionality.

                Writing to the config.xml file on-the-fly is very dangerous and could lead to a completely broken system. That is not recommended!

                If you want to manually manage all the firewall rules, then just don't put any in the GUI and instead write your own file containing the rules you want and then load it with the pfctl utility I linked to earlier. Not really sure what your use case is here, though. Why do you want to add and remove rules from the command line? Why not just use the GUI? That's what it is there for.

                J 1 Reply Last reply Reply Quote 0
                • J
                  JS50 @bmeeks
                  last edited by JS50

                  @bmeeks - Hey, thanks for the details; I appreciate it. Good info, and a good place for me to start digging. I like the idea of setting up rules outside of pfSense, etc. I'm not sure how pfSense will react to that...?

                  My use case is that I want to put together a physical button that my wife can use to turn on/off the Internet access for a Chromebook that our daughter uses. (Yes, I know creative kids can get around this stuff, but right now that is not in her skill set, so it's not an issue.) As of now I go into the pfSense GUI and enable/disable the rule upon demand, but I'd like to try to remove myself from the equation so that my wife can enable/disable the Chromebook herself.

                  PS - I even had the thought of getting an old parking meter, and setting it up so that when our daughter wanted to use the Chromebook, she would insert some coins (coins for minutes). LOL!

                  A ? bmeeksB 3 Replies Last reply Reply Quote 0
                  • A
                    akuma1x @JS50
                    last edited by

                    @js50 You should have said this stuff way earlier... LOL

                    I think probably the easiest way to achieve this, without using pfsense at all, is to get one of those smart outlets from Amazon, the ones you can control with a phone app, and hook up an inexpensive wireless access point. Those are about $25 on Amazon too. Then, when your wife needs to, all she has to do is use the phone app to turn on/off the smart outlet, and in turn, the wifi access point your daughter connects her chromebook to.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User @JS50
                      last edited by A Former User

                      @js50 Well, the first thing I would recommend is to use the schedule established in the rule.

                      In my case this has helped a lot and is a very good option.

                      e8d05afa-8260-4575-bb9c-a379f9918388-image.png

                      Second, you can create a daily consumption limit for your chormcast so when your internet is exhausted you will have to wait until the next day to use it.

                      Also if you're looking for something manual then you could create a script for your wife just have to run it and this just log in via ssh to your pfsense and disable or enable the rule.

                      I'm here to help you just tell me what you want, pfsense is capable of anything.

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB
                        bmeeks @JS50
                        last edited by bmeeks

                        @js50 said in Non-web based way to enable/disable rules or modify aliases?:

                        @bmeeks - Hey, thanks for the details; I appreciate it. Good info, and a good place for me to start digging. I like the idea of setting up rules outside of pfSense, etc. I'm not sure how pfSense will react to that...?

                        My use case is that I want to put together a physical button that my wife can use to turn on/off the Internet access for a Chromebook that our daughter uses. (Yes, I know creative kids can get around this stuff, but right now that is not in her skill set, so it's not an issue.) As of now I go into the pfSense GUI and enable/disable the rule upon demand, but I'd like to try to remove myself from the equation so that my wife can enable/disable the Chromebook herself.

                        PS - I even had the thought of getting an old parking meter, and setting it up so that when our daughter wanted to use the Chromebook, she would insert some coins (coins for minutes). LOL!

                        If all you want to do is turn on and off access for a single device (the Chromebook), then it will be relatively easy to do via a shell script kicked off by some external trigger.

                        1. Create a DHCP reservation for the Chromebook and assign it a fixed IP address based on its MAC address. That means the Chromebook always has the same IP address when it joins your wireless network.

                        2. Next, inside pfSense create a host alias and give it a meaningful name. Maybe something like "Internet_Restricted_Hosts". Assign the Chromebook's IP address to the alias.

                        3. Create a firewall rule on the LAN that references the alias as SOURCE and that has the Internet as the destination. Set the rule to block, or drop.

                        4. There will now be a pf table created that has the same name as the alias you created. You can see that table listed under DIAGNOSTICS > TABLES. When you select it in the drop-down under that menu, you will see all of the current IP addresses in the table. To begin with, it will contain the Chromebook's IP.

                        5. So now, when you want to enable Internet access for the Chromebook, run a shell script that calls the pfctl utility with the options to remove the Chromebook IP address from the table (that alias name). And when you want to "turn off the Internet" for the Chromebook, run a shell script that adds the IP back to the table alias.

                        I 1 Reply Last reply Reply Quote 0
                        • I
                          itpp21 @bmeeks
                          last edited by

                          Enable easyrule.
                          https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html

                          Block LAN ip address (%1)
                          echo easyrule %1 lan block>_scripts.scr
                          echo logger easyrule %1 lan block>>_scripts.scr
                          echo easyrule showblock lan>>_scripts.scr
                          plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

                          UnBlock LAN ip address (%1)
                          echo easyrule %1 lan unblock>_scripts.scr
                          echo logger easyrule %1 lan unblock>>_scripts.scr
                          echo easyrule showblock lan>>_scripts.scr
                          plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

                          bmeeksB 1 Reply Last reply Reply Quote 1
                          • bmeeksB
                            bmeeks @itpp21
                            last edited by bmeeks

                            @itpp21 said in Non-web based way to enable/disable rules or modify aliases?:

                            Enable easyrule.
                            https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html

                            Block LAN ip address (%1)
                            echo easyrule %1 lan block>_scripts.scr
                            echo logger easyrule %1 lan block>>_scripts.scr
                            echo easyrule showblock lan>>_scripts.scr
                            plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

                            UnBlock LAN ip address (%1)
                            echo easyrule %1 lan unblock>_scripts.scr
                            echo logger easyrule %1 lan unblock>>_scripts.scr
                            echo easyrule showblock lan>>_scripts.scr
                            plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

                            Hey! Learned something new. I did not know the Easyrule feature was also available via the command line using shell commands.

                            For the OP, here is a link to the feature in the official documentation: https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html.

                            I 1 Reply Last reply Reply Quote 0
                            • I
                              itpp21 @bmeeks
                              last edited by

                              plink is part of putty which you can find here;
                              https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.