Non-web based way to enable/disable rules or modify aliases?

JS50

Hi all.

I fear that I already know the answer to what I'm about to ask...

Is there a way to enable and disable rules from the command line or some non-web mechanism?

I've been searching for an answer to this, and I'm finding either (1) answers that don't really address this, or (2) unanswered queries. Some of the queries/requests date back ~10 years, so some of the suggestions for those don't seem to apply anymore since pfSense has changed over the years. I'm hoping that there now is a (relative) easy non-web way of enabling/disabling rules or aliases.

Thanks.

bmeeks

No, you can't dynamically add or remove specific rules. You could dump the existing rules to a file, alter or edit the file to add or remove rules, and then reload the new set of rules by loading the modified file into pf again. But that is not an easy thing to script.

Here is a link to the FreeBSD forum where this question was asked: https://forums.freebsd.org/threads/pfctl-dynamically-add-and-remove-rules-from-commandline.66441/.

And here is the official documentation for the pfctl utility that you use from the command line to manage the pf firewall: https://www.freebsd.org/cgi/man.cgi?query=pfctl&sektion=8.

You can dynamically add or remove specific IP addresses or subnets from tables in pf. So you could construct an alias table in pfSense, and then add or remove IP addresses to control access by hosts matching those IP addresses. You do that using the pfctl utility.

Even within the pfSense GUI, you are not actually managing the pf rules one-by-one. Instead, the edits you make in the GUI are written into the config.xml file on the firewall, then the pf engine is reloaded by writing the config info to a file and loading that file into pf. That's why at the end of the rules editing process in the GUI you get a prompt to "apply changes". When you click Apply there, the file of edited rules is written and then loaded into pf.

SteveITS

@js50 You can use a URL alias to pull a file off a web server.

There are time-based rules.

JS50

@bmeeks - Thanks. Yeah, I was looking into some of this and playing around with pfctl last night, but I'm still not 100% clear of the interaction between pfSense, pfctl, iptables, etc.

Also, I was trying to make a distinction between "enable/disable" and "add/remove" because in the pfSense GUI you can see rules that are "disabled". When I dump the firewall rules, I (understandably) do not see those rules listed. However, those rules must exist somewhere as pfSense knows about them and knows that they are disabled.

From what you are saying, it sounds like pfSense maintains its own copy of the rules, and those are stored in config.xml. I would be happy to write a program that would modify the rules in config.xml (e.g., change a rule from enabled to disabled) then somehow kick pfSense to reload the rules from config.xml and apply them to the firewall (do the same thing that the "Apply" button on the GUI does). I'm just not sure how to do this last part.

Does this make sense?

JS50

@steveits - Yeah, I'm aware of the time-based rules, but for my situation I need to enable/disable rules upon demand. Thanks for the idea, though. :-)

bmeeks

@js50 said in Non-web based way to enable/disable rules or modify aliases?:

@bmeeks - Thanks. Yeah, I was looking into some of this and playing around with pfctl last night, but I'm still not 100% clear of the interaction between pfSense, pfctl, iptables, etc.

Also, I was trying to make a distinction between "enable/disable" and "add/remove" because in the pfSense GUI you can see rules that are "disabled". When I dump the firewall rules, I (understandably) do not see those rules listed. However, those rules must exist somewhere as pfSense knows about them and knows that they are disabled.

From what you are saying, it sounds like pfSense maintains its own copy of the rules, and those are stored in config.xml. I would be happy to write a program that would modify the rules in config.xml (e.g., change a rule from enabled to disabled) then somehow kick pfSense to reload the rules from config.xml and apply them to the firewall (do the same thing that the "Apply" button on the GUI does). I'm just not sure how to do this last part.

Does this make sense?

pfSense is fundamentally a PHP GUI that runs on top of a customized FreeBSD operating system. It stores EVERYTHING as XML data inside a file called config.xml which is stored in /conf on the firewall.

Firewall rules, interface configurations, installed packages, defined users, configured IPSEC and OpenVPN tunnels and everything else is stored in the config.xml file. So when you are manipulating rules in the GUI, your changes are getting stored as XML data in the config.xml file in /conf. Then, when you "apply changes" after saving firewall rule edits, the "active" rules (those you did not disable) are written to a file in /tmp and then that file is passed to the pfctl utility as the rules input to load.

There is no iptables in FreeBSD (nor in pfSense). The two firewall engines used on FreeBSD are pf and ipfw. On pfSense, pf is the main firewall engine and ipfw is used to support the captive portal functionality.

Writing to the config.xml file on-the-fly is very dangerous and could lead to a completely broken system. That is not recommended!

If you want to manually manage all the firewall rules, then just don't put any in the GUI and instead write your own file containing the rules you want and then load it with the pfctl utility I linked to earlier. Not really sure what your use case is here, though. Why do you want to add and remove rules from the command line? Why not just use the GUI? That's what it is there for.

JS50

@bmeeks - Hey, thanks for the details; I appreciate it. Good info, and a good place for me to start digging. I like the idea of setting up rules outside of pfSense, etc. I'm not sure how pfSense will react to that...?

My use case is that I want to put together a physical button that my wife can use to turn on/off the Internet access for a Chromebook that our daughter uses. (Yes, I know creative kids can get around this stuff, but right now that is not in her skill set, so it's not an issue.) As of now I go into the pfSense GUI and enable/disable the rule upon demand, but I'd like to try to remove myself from the equation so that my wife can enable/disable the Chromebook herself.

PS - I even had the thought of getting an old parking meter, and setting it up so that when our daughter wanted to use the Chromebook, she would insert some coins (coins for minutes). LOL!

akuma1x

@js50 You should have said this stuff way earlier... LOL

I think probably the easiest way to achieve this, without using pfsense at all, is to get one of those smart outlets from Amazon, the ones you can control with a phone app, and hook up an inexpensive wireless access point. Those are about $25 on Amazon too. Then, when your wife needs to, all she has to do is use the phone app to turn on/off the smart outlet, and in turn, the wifi access point your daughter connects her chromebook to.

@js50 Well, the first thing I would recommend is to use the schedule established in the rule.

In my case this has helped a lot and is a very good option.

Second, you can create a daily consumption limit for your chormcast so when your internet is exhausted you will have to wait until the next day to use it.

Also if you're looking for something manual then you could create a script for your wife just have to run it and this just log in via ssh to your pfsense and disable or enable the rule.

I'm here to help you just tell me what you want, pfsense is capable of anything.

bmeeks

@js50 said in Non-web based way to enable/disable rules or modify aliases?:

@bmeeks - Hey, thanks for the details; I appreciate it. Good info, and a good place for me to start digging. I like the idea of setting up rules outside of pfSense, etc. I'm not sure how pfSense will react to that...?

My use case is that I want to put together a physical button that my wife can use to turn on/off the Internet access for a Chromebook that our daughter uses. (Yes, I know creative kids can get around this stuff, but right now that is not in her skill set, so it's not an issue.) As of now I go into the pfSense GUI and enable/disable the rule upon demand, but I'd like to try to remove myself from the equation so that my wife can enable/disable the Chromebook herself.

PS - I even had the thought of getting an old parking meter, and setting it up so that when our daughter wanted to use the Chromebook, she would insert some coins (coins for minutes). LOL!

If all you want to do is turn on and off access for a single device (the Chromebook), then it will be relatively easy to do via a shell script kicked off by some external trigger.

Create a DHCP reservation for the Chromebook and assign it a fixed IP address based on its MAC address. That means the Chromebook always has the same IP address when it joins your wireless network.
Next, inside pfSense create a host alias and give it a meaningful name. Maybe something like "Internet_Restricted_Hosts". Assign the Chromebook's IP address to the alias.
Create a firewall rule on the LAN that references the alias as SOURCE and that has the Internet as the destination. Set the rule to block, or drop.
There will now be a pf table created that has the same name as the alias you created. You can see that table listed under DIAGNOSTICS > TABLES. When you select it in the drop-down under that menu, you will see all of the current IP addresses in the table. To begin with, it will contain the Chromebook's IP.
So now, when you want to enable Internet access for the Chromebook, run a shell script that calls the pfctl utility with the options to remove the Chromebook IP address from the table (that alias name). And when you want to "turn off the Internet" for the Chromebook, run a shell script that adds the IP back to the table alias.

itpp21

Enable easyrule.
https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html

Block LAN ip address (%1)
echo easyrule %1 lan block>_scripts.scr
echo logger easyrule %1 lan block>>_scripts.scr
echo easyrule showblock lan>>_scripts.scr
plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

UnBlock LAN ip address (%1)
echo easyrule %1 lan unblock>_scripts.scr
echo logger easyrule %1 lan unblock>>_scripts.scr
echo easyrule showblock lan>>_scripts.scr
plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

bmeeks

@itpp21 said in Non-web based way to enable/disable rules or modify aliases?:

Enable easyrule.
https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html

Block LAN ip address (%1)
echo easyrule %1 lan block>_scripts.scr
echo logger easyrule %1 lan block>>_scripts.scr
echo easyrule showblock lan>>_scripts.scr
plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

UnBlock LAN ip address (%1)
echo easyrule %1 lan unblock>_scripts.scr
echo logger easyrule %1 lan unblock>>_scripts.scr
echo easyrule showblock lan>>_scripts.scr
plink -batch -hostkey SHA256:xxxx -pw xxxxx root@192.168.1.1 -P 22 -m _scripts.scr

Hey! Learned something new. I did not know the Easyrule feature was also available via the command line using shell commands.

For the OP, here is a link to the feature in the official documentation: https://docs.netgate.com/pfsense/en/latest/firewall/easyrule.html.

itpp21

plink is part of putty which you can find here;
https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html