Adding in to Alias and reload firewall from command line?

mucip

Hi,
I want to add an IP in to "BannedIPAlias" which I use to ban attacker IP's Alias and restart firewall in the command line or programaticly?

I want to add this command in to bash cron file and run.

Is this possible?

Regards,
Mucip:)

bmeeks

You do not need to restart the firewall in order to do what you want. The pfctl utility lets you dynamically add or remove addresses from existing pf tables. Here is the documentation: https://man.freebsd.org/cgi/man.cgi?query=pfctl(8).

Here is the pfSense documentation for viewing Alias Table contents: https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-tables.html. Look there and you will see the automatically created pfSense alias tables. And here is the documentation for Aliases: https://docs.netgate.com/pfsense/en/latest/firewall/aliases.html#aliases.

pfSense stores aliases as tables in the pf firewall engine. You can use the pfctl utility to manipulate the IP addresses stored in an alias table. Then, in the pfSense firewall rules, create a rule that uses your alias table as either the SOURCE or DESTINATION target.

Since you already have the BannedIPAlias, then you should see it listed when viewing tables under DIAGNOSTICS > TABLES. It should show whatever IP addresses you have added to it. You can add or remove addresses from the table dynamically using pfctl.

mucip

Hi @bmeeks,This is very good news.
I will check. Thank.

Regards,
Mucip:)

mucip

Hi @bmeeks,
I've got it. Thanks...
https://forum.netgate.com/topic/69891/modify-aliases-from-ssh-shell/8

pfctl -t Yasakli_IPler -T add 1.2.3.4

Regards,
Mucip:)

bmeeks

@mucip said in Adding in to Alias and reload firewall from command line?:

Hi @bmeeks,
I've got it. Thanks...
https://forum.netgate.com/topic/69891/modify-aliases-from-ssh-shell/8

pfctl -t Yasakli_IPler -T add 1.2.3.4

Regards,
Mucip:)

Correct. I was away and unable to reply immediately. But I see you found the correct command sequence. pfctl is a powerful command-line tool.

mucip

Hi @bmeeks ,
Houston... We've got a problem. :)

With this command I can see added IP in Menu>Diagnostic>Tables.

But I can not see same IP in Menu>Firewall>Aliases>Yasakli_IPler

Blocking is working but I can not see it in Aliases menu?

Regards,
Mucip:)

bmeeks

@mucip said in Adding in to Alias and reload firewall from command line?:

Hi @bmeeks ,
Houston... We've got a problem. :)

With this command I can see added IP in Menu>Diagnostic>Tables.

But I can not see same IP in Menu>Firewall>Aliases>Yasakli_IPler

Blocking is working but I can not see it in Aliases menu?

Regards,
Mucip:)

The Aliases menu does not read from the pf table. It stores its data in the firewall's config.xml file. The contents of that data is modified when you make changes in the GUI, and then when the filter reload command is issued to pf by the GUI, pf will create the tables given to it by the GUI code and load the IP addresses supplied by the GUI.

What you are doing is totally outside the GUI process (which is driven by PHP code). You are using a FreeBSD utility to directly modify the table's content at runtime. The firewall portion of the GUI will not see that, but the binary code of the firewall engine (pf) will see that change and act upon it. That's why the blocking is working.

I thought you simply wanted a way to add one or more IPs to an existing alias at runtime on a temporary basis. Generally when doing something like fail2ban you just want to ban the IP for some period but not forever. Using the pfctl utility to add the IP directly into the pf runtime table will block that IP until the firewall reloads itself (triggered by something you do in the GUI by making certain changes) or when the firewall reboots.

There is no way to add IPs directly into the GUI at runtime from a third-party script without editing the config.xml file, and doing that on the fly is extraordinarily risky and likely to break the firewall completely.

mucip

Hi @bmeeks ,
Ok. I will try to live with this fact. Thanks... :)

Regards,
Mucip:)

bmeeks

@mucip said in Adding in to Alias and reload firewall from command line?:

Hi @bmeeks ,
Ok. I will try to live with this fact. Thanks... :)

Regards,
Mucip:)

You can see the IP addresses you add at runtime by going to DIAGNOSTICS > TABLES in the pfSense menu and then choosing the table name correspondig to your alias. Literally that PHP code runs the same pfctl utility to dump out all the pf tables and their content for display.

But the GUI stuff under FIREWALL > ALIASES won't see things you do directly in the pf tables using pfctl yourself.