Is it possible to update an alias and reload firewall rules by issuing a command?

scilek · Dec 16, 2022, 5:34 PM

I am writing a Python script to get pfSense to download a list of URLs from some source on the Internet and update the associated alias and then reload the firewall rules if any modifications are detected.

To that end, first I created a URL alias:
login-to-view

Of course, I must somehow trigger the same effect as the "Save" button on the web interface.

Then, I must do the same for the "Apply Changes" button:
login-to-view

I have a hunch that should be possible, but I have no idea how. I have read somewhere that /etc/rc.reload_all should do the trick, but doing that did not update the URL list associated with the alias.

Can anyone help me with that?

SteveITS · Dec 16, 2022, 7:56 PM

@scilek For a URL type alias, the contents of the alias are re-fetched every 24 hours from the stored URL by the firewall.
"For a URL type alias, the contents of the alias are re-fetched every 24 hours from the stored URL by the firewall."

...which is not your question but may be what you're trying to get around.

If you install the cron package, it will show the default list of cron tasks. Is there one that updates the aliases every 24h?

scilek · Dec 16, 2022, 8:37 PM

@steveits said in Is it possible to update an alias and reload firewall rules by issuing a command?:

If you install the cron package, it will show the default list of cron tasks. Is there one that updates the aliases every 24h?

It is installed and my script will run every hour. But my problem is that I must force the alias to be updated to reflect the updated list and then reload the filter rules.

Imagine a boss just editing a text file -accessible on the Internet- to determine what sites his employees can access from the workplace.

scilek · Dec 17, 2022, 5:14 PM

I think I've got the hang of it.

I have been looking at this the wrong way all along. Python will never work when it comes to hacking pfSense because it's not its native language in the first place! However, unfortunately, the answer lies in PHP, the language I hated to learn and was hoping would never have to use again.

As it happens, PHP scripts can be run by passing it as an argument to /usr/local/bin/php, like any other interpreted language, like Python or Bash.

I have written a PHP script that utilises the underlying PHP backbone of pfSense and managed to get it to download a list of hosts from a text file shared on Google Drive and then reload the firewall rules:

login-to-view

I know pfSense is open software but I won't get into the details of how I managed to do that out of respect for the original coders that toiled and battled with PHP to get it all working. But of course, in true open source geek fashion, I will happily share it with interested parties.

By the way, is there a plan to rewrite everything in Python?