Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] On demand firewall configuration change

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      epl67
      last edited by

      Hi,

      I am trying to setup this on my pfsense router / firewall.

      I want to modify the pf firewall, just by browsing a simple web page.
      I want to make a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php

      I already achieved that on an IPCop based routed, but pfsense is much more robust and functionnal.  ;)

      Could please some good guys give me some hand on creating these scripts ?

      On the Linux IPCOP I used to create a CGI called script which executed that for eg. block.cgi

      #!/bin/sh
      iptables -I FORWARD 1 -s 10.1.2.50 -j REJECT
      iptables -I INPUT 1 -s 10.1.2.50 -j REJECT
      iptables -I OUTPUT 1 -s 10.1.2.50 -j REJECT
      echo -e "Content-type: text/plain\n\n"
      echo -e "Lock done"
      

      And a same script to unlock. Pretty simple.

      I want to create that on PFSENSE. As said i want to create a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php
      If i understand the way pf works i have to add

      block out quick from 10.1.2.50 to any label "lock"
      

      And delete that rule to unlock.

      I made an Shell exec of

      cat 'block out quick from 10.1.2.50 to any label "lock"' | pfctl -f - 
      

      But all rules of the pfsense are deleted this way.  :o

      An other formulation is: how can I add rule to pf without touching pf rules and just with a Shell (i dont want to use the GUI) ?

      A way I read on a forum is to add a table and block it :

      table <foo>persist
      block quick from</foo> 
      

      And then shell execute :

      pfctl -t foo -T add 10.1.2.50 
      

      But I do not find how to add the 2 lines on the Pfrules ! The GUI doesn't have and expert mode to directly add pf rules ?

      All help is greatly appreciated.</pfdns></pfdns></pfdns></pfdns>

      1 Reply Last reply Reply Quote 0
      • E
        epl67
        last edited by

        Ok, by reverse engennering i found the way pfsense builds his firewall rules.

        I a going to change the script who builds the /tmp/rules.debug : it's /etc/inc/filter.inc.

        I add these kind of rules at the good position :
        table <badguys>persist
        block quick from <badguys>And then i can control the lock of ip's badguys with
        pfctl -t badguys -T add 10.x.x.x
        pfctl -t badguys -T show
        pfctl -t badguys -T delete 10.x.x.x

        I am going to post here if it works after some tests and integration work.</badguys></badguys>

        1 Reply Last reply Reply Quote 0
        • R
          Ravine
          last edited by

          Doh, i think this is what i want to do too.
          Let's say we have cabinet of PC's and one admin machine. I want an on-demand firewall change from the admin-pc, to allow the admin-pc out but limit the others.
          I wanna do that with the PHPservice package, which will watch a DB for change, and then change the filter rules.
          But how…

          1 Reply Last reply Reply Quote 0
          • E
            epl67
            last edited by

            Ok here is what I used. But file and procedure is in french… but a give a quick howto HERE.

            PM me if someone is interested and doesn't understand everything.

            First you need a "table" which will contain the IP list.

            edit /etc/inc/filter.inc
            SEEK

            #SSH Lockout Table
            table <sshlockout> persist</sshlockout>
            

            ADD AFTER

            #LOCK STATIONS
            table <stations>persist</stations> 
            

            Then you need the filter rule for the "stations" table.

            edit /etc/inc/filter.inc
            SEEK

                    /* optional interfaces */
                    $optcfg = array();
                    generate_optcfg_array($optcfg);
            
            ----> ADD HERE !!  <----
            
                    if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {
            

            ADD

            /* Internet LOCKING */
            $ipfrules .= "\n#Block internet on some workstations\n
            block quick from <stations>\n\n";</stations>
            

            Save file and reload filter from web manager pages.

            Do an ls -lt in the /tmp folder to see if rules.debug is correctly generated.
            You can cat the file and grep it to see if the text you added is correctly added and at the good place.

            You can now manage it with:

            pfctl -t stations -T add 10.x.x.x
            pfctl -t stations -T show
            pfctl -t stations -T delete 10.x.x.x
            

            Then add some php scripts in a folder in :
            /usr/local/www/stationlocking/

            Code it and add youself authentification system in these webpage.

            Exemple: file /usr/local/www/stationlocking/station-lock-10range.php

            
            session_start();
            
            $username = "scott";
            $password = "tiger";
            
            if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
            	header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
            	header("HTTP/1.0 401 Unauthorized");
            	echo "NOT ALLOWED";
            	exit;
            }
            else {
            	if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) {
            		//SOME CODE IF AUTH IS CORRECT, OR PLACE IT AT END OF SCRIPT SINCE ERROR = EXIT
            
            	}
            	else {
            		header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
            		header("HTTP/1.0 401 Unauthorized");
            		echo "NOT ALLOWED";
            		exit;
            	}
            }
            
            system ( 'pfctl -t stations -T add 10.10.10.10' );
            system ( 'pfctl -t salles -T add 10.10.11.11' );
            
            ?>
            
            <center>
            
            ### DONE LOCKED FOR 10.10.10.10 and 10.10.11.11
            
            </center>
            
            

            Now by browsing http://pfsense/stationlocking/station-lock-10range.php and giving good credential you can block 10.10.10.10 10.10.11.11

            Script to unlock is the same but with delete instead of add. And you can use status to get status (i didnt code status maybe you will need to use passthru instead of system).

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.