[SOLVED] On demand firewall configuration change



  • Hi,

    I am trying to setup this on my pfsense router / firewall.

    I want to modify the pf firewall, just by browsing a simple web page.
    I want to make a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php

    I already achieved that on an IPCop based routed, but pfsense is much more robust and functionnal.  ;)

    Could please some good guys give me some hand on creating these scripts ?

    On the Linux IPCOP I used to create a CGI called script which executed that for eg. block.cgi

    #!/bin/sh
    iptables -I FORWARD 1 -s 10.1.2.50 -j REJECT
    iptables -I INPUT 1 -s 10.1.2.50 -j REJECT
    iptables -I OUTPUT 1 -s 10.1.2.50 -j REJECT
    echo -e "Content-type: text/plain\n\n"
    echo -e "Lock done"
    

    And a same script to unlock. Pretty simple.

    I want to create that on PFSENSE. As said i want to create a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php
    If i understand the way pf works i have to add

    block out quick from 10.1.2.50 to any label "lock"
    

    And delete that rule to unlock.

    I made an Shell exec of

    cat 'block out quick from 10.1.2.50 to any label "lock"' | pfctl -f - 
    

    But all rules of the pfsense are deleted this way.  :o

    An other formulation is: how can I add rule to pf without touching pf rules and just with a Shell (i dont want to use the GUI) ?

    A way I read on a forum is to add a table and block it :

    table <foo>persist
    block quick from</foo> 
    

    And then shell execute :

    pfctl -t foo -T add 10.1.2.50 
    

    But I do not find how to add the 2 lines on the Pfrules ! The GUI doesn't have and expert mode to directly add pf rules ?

    All help is greatly appreciated.</pfdns></pfdns></pfdns></pfdns>



  • Ok, by reverse engennering i found the way pfsense builds his firewall rules.

    I a going to change the script who builds the /tmp/rules.debug : it's /etc/inc/filter.inc.

    I add these kind of rules at the good position :
    table <badguys>persist
    block quick from <badguys>And then i can control the lock of ip's badguys with
    pfctl -t badguys -T add 10.x.x.x
    pfctl -t badguys -T show
    pfctl -t badguys -T delete 10.x.x.x

    I am going to post here if it works after some tests and integration work.</badguys></badguys>



  • Doh, i think this is what i want to do too.
    Let's say we have cabinet of PC's and one admin machine. I want an on-demand firewall change from the admin-pc, to allow the admin-pc out but limit the others.
    I wanna do that with the PHPservice package, which will watch a DB for change, and then change the filter rules.
    But how…



  • Ok here is what I used. But file and procedure is in french… but a give a quick howto HERE.

    PM me if someone is interested and doesn't understand everything.

    First you need a "table" which will contain the IP list.

    edit /etc/inc/filter.inc
    SEEK

    #SSH Lockout Table
    table <sshlockout> persist</sshlockout>
    

    ADD AFTER

    #LOCK STATIONS
    table <stations>persist</stations> 
    

    Then you need the filter rule for the "stations" table.

    edit /etc/inc/filter.inc
    SEEK

            /* optional interfaces */
            $optcfg = array();
            generate_optcfg_array($optcfg);
    
    ----> ADD HERE !!  <----
    
            if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {
    

    ADD

    /* Internet LOCKING */
    $ipfrules .= "\n#Block internet on some workstations\n
    block quick from <stations>\n\n";</stations>
    

    Save file and reload filter from web manager pages.

    Do an ls -lt in the /tmp folder to see if rules.debug is correctly generated.
    You can cat the file and grep it to see if the text you added is correctly added and at the good place.

    You can now manage it with:

    pfctl -t stations -T add 10.x.x.x
    pfctl -t stations -T show
    pfctl -t stations -T delete 10.x.x.x
    

    Then add some php scripts in a folder in :
    /usr/local/www/stationlocking/

    Code it and add youself authentification system in these webpage.

    Exemple: file /usr/local/www/stationlocking/station-lock-10range.php

    
    session_start();
    
    $username = "scott";
    $password = "tiger";
    
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
    	header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
    	header("HTTP/1.0 401 Unauthorized");
    	echo "NOT ALLOWED";
    	exit;
    }
    else {
    	if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) {
    		//SOME CODE IF AUTH IS CORRECT, OR PLACE IT AT END OF SCRIPT SINCE ERROR = EXIT
    
    	}
    	else {
    		header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
    		header("HTTP/1.0 401 Unauthorized");
    		echo "NOT ALLOWED";
    		exit;
    	}
    }
    
    system ( 'pfctl -t stations -T add 10.10.10.10' );
    system ( 'pfctl -t salles -T add 10.10.11.11' );
    
    ?>
    
    <center>
    
    ### DONE LOCKED FOR 10.10.10.10 and 10.10.11.11
    
    </center>
    
    

    Now by browsing http://pfsense/stationlocking/station-lock-10range.php and giving good credential you can block 10.10.10.10 10.10.11.11

    Script to unlock is the same but with delete instead of add. And you can use status to get status (i didnt code status maybe you will need to use passthru instead of system).


Log in to reply