[SOLVED] On demand firewall configuration change

epl67

Hi,

I am trying to setup this on my pfsense router / firewall.

I want to modify the pf firewall, just by browsing a simple web page.
I want to make a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php

I already achieved that on an IPCop based routed, but pfsense is much more robust and functionnal.  ;)

Could please some good guys give me some hand on creating these scripts ?

On the Linux IPCOP I used to create a CGI called script which executed that for eg. block.cgi

#!/bin/sh
iptables -I FORWARD 1 -s 10.1.2.50 -j REJECT
iptables -I INPUT 1 -s 10.1.2.50 -j REJECT
iptables -I OUTPUT 1 -s 10.1.2.50 -j REJECT
echo -e "Content-type: text/plain\n\n"
echo -e "Lock done"

And a same script to unlock. Pretty simple.

I want to create that on PFSENSE. As said i want to create a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php
If i understand the way pf works i have to add

block out quick from 10.1.2.50 to any label "lock"

And delete that rule to unlock.

I made an Shell exec of

cat 'block out quick from 10.1.2.50 to any label "lock"' | pfctl -f - 

But all rules of the pfsense are deleted this way.  :o

An other formulation is: how can I add rule to pf without touching pf rules and just with a Shell (i dont want to use the GUI) ?

A way I read on a forum is to add a table and block it :

table <foo>persist
block quick from</foo> 

And then shell execute :

pfctl -t foo -T add 10.1.2.50 

But I do not find how to add the 2 lines on the Pfrules ! The GUI doesn't have and expert mode to directly add pf rules ?

All help is greatly appreciated.</pfdns></pfdns></pfdns></pfdns>

epl67

Ok, by reverse engennering i found the way pfsense builds his firewall rules.

I a going to change the script who builds the /tmp/rules.debug : it's /etc/inc/filter.inc.

I add these kind of rules at the good position :
table <badguys>persist
block quick from <badguys>And then i can control the lock of ip's badguys with
pfctl -t badguys -T add 10.x.x.x
pfctl -t badguys -T show
pfctl -t badguys -T delete 10.x.x.x

I am going to post here if it works after some tests and integration work.</badguys></badguys>

Ravine

Doh, i think this is what i want to do too.
Let's say we have cabinet of PC's and one admin machine. I want an on-demand firewall change from the admin-pc, to allow the admin-pc out but limit the others.
I wanna do that with the PHPservice package, which will watch a DB for change, and then change the filter rules.
But how…

epl67

Ok here is what I used. But file and procedure is in french… but a give a quick howto HERE.

PM me if someone is interested and doesn't understand everything.

First you need a "table" which will contain the IP list.

edit /etc/inc/filter.inc
SEEK

#SSH Lockout Table
table <sshlockout> persist</sshlockout>

ADD AFTER

#LOCK STATIONS
table <stations>persist</stations> 

Then you need the filter rule for the "stations" table.

edit /etc/inc/filter.inc
SEEK

        /* optional interfaces */
        $optcfg = array();
        generate_optcfg_array($optcfg);

----> ADD HERE !!  <----

        if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {

ADD

/* Internet LOCKING */
$ipfrules .= "\n#Block internet on some workstations\n
block quick from <stations>\n\n";</stations>

Save file and reload filter from web manager pages.

Do an ls -lt in the /tmp folder to see if rules.debug is correctly generated.
You can cat the file and grep it to see if the text you added is correctly added and at the good place.

You can now manage it with:

pfctl -t stations -T add 10.x.x.x
pfctl -t stations -T show
pfctl -t stations -T delete 10.x.x.x

Then add some php scripts in a folder in :
/usr/local/www/stationlocking/

Code it and add youself authentification system in these webpage.

Exemple: file /usr/local/www/stationlocking/station-lock-10range.php

session_start();

$username = "scott";
$password = "tiger";

if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
	header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
	header("HTTP/1.0 401 Unauthorized");
	echo "NOT ALLOWED";
	exit;
}
else {
	if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) {
		//SOME CODE IF AUTH IS CORRECT, OR PLACE IT AT END OF SCRIPT SINCE ERROR = EXIT

	}
	else {
		header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
		header("HTTP/1.0 401 Unauthorized");
		echo "NOT ALLOWED";
		exit;
	}
}

system ( 'pfctl -t stations -T add 10.10.10.10' );
system ( 'pfctl -t salles -T add 10.10.11.11' );

?>

<center>

### DONE LOCKED FOR 10.10.10.10 and 10.10.11.11

</center>

Now by browsing http://pfsense/stationlocking/station-lock-10range.php and giving good credential you can block 10.10.10.10 10.10.11.11

Script to unlock is the same but with delete instead of add. And you can use status to get status (i didnt code status maybe you will need to use passthru instead of system).