Question about Automation and firewall rules (enable/disable using SSH/API)
-
I am considering to but a pfSense appliance.
Can my automation system SSH into the appliance and using a one-line command enable/disable a FW rule? (or more than one line)Can the FW do config changes using some API ? - like HTTP POST or something else?
-
There is no API available within pfSense for such automation.
pfSense uses the FreeBSD
pf(packet filter) firewall engine, so you can perform some operations on the ruleset using thepfctlutility with the proper command-line arguments which you could execute from a shell script.The official FreeBSD documentation for
pfctlcan be found here. -
thank you.
is the appliance open for SSH to shell so I can run pfctl from another device? -
@andrek said in Question about Automation and firewall rules (enable/disable using SSH/API):
thank you.
is the appliance open for SSH to shell so I can run pfctl from another device?When you enable the SSD daemon via the GUI, it automatically opens the necessary port on the LAN. It does not open WAN ports that I remember. So if you needed access from offsite via SSH you would need to make arrangements. But I would never open SSH on the WAN. I would use the OpenVPN server in pfSense and create a remote VPN access client connection, and then use that to tunnel the SSH remotely. Using a "key only" access is also possible and is way more secure than a password. But a remote access VPN is the most secure in my opinion.
By default an SSH connection will dump you to the CLI menu where you choose Option "8" to exit to a shell prompt. There are probably ways to configure the SSH process to dump you directly to the shell. Here is the official documentation: https://docs.netgate.com/pfsense/en/latest/recipes/ssh-access.html#.
-
@bmeeks said in Question about Automation and firewall rules (enable/disable using SSH/API):
@andrek said in Question about Automation and firewall rules (enable/disable using SSH/API):
thank you.
is the appliance open for SSH to shell so I can run pfctl from another device?When you enable the SSD daemon via the GUI, it automatically opens the necessary port on the LAN. It does not open WAN ports that I remember.
Pretty sure it's open on all interfaces but you would need a firewall rule to allow it through the WAN. Not that I'm suggesting that.
-
@jarhead said in Question about Automation and firewall rules (enable/disable using SSH/API):
@bmeeks said in Question about Automation and firewall rules (enable/disable using SSH/API):
@andrek said in Question about Automation and firewall rules (enable/disable using SSH/API):
thank you.
is the appliance open for SSH to shell so I can run pfctl from another device?When you enable the SSD daemon via the GUI, it automatically opens the necessary port on the LAN. It does not open WAN ports that I remember.
Pretty sure it's open on all interfaces but you would need a firewall rule to allow it through the WAN. Not that I'm suggesting that.
Yeah, the daemon listens on all interfaces, but the default firewall ruleset will only allow inbound traffic to connect from the LAN. The docs I linked explain that a little farther down (and refreshed my memory).