[SOLVED] On demand firewall configuration change

  • Hi,

    I am trying to setup this on my pfsense router / firewall.

    I want to modify the pf firewall, just by browsing a simple web page.
    I want to make a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php

    I already achieved that on an IPCop based routed, but pfsense is much more robust and functionnal.  ;)

    Could please some good guys give me some hand on creating these scripts ?

    On the Linux IPCOP I used to create a CGI called script which executed that for eg. block.cgi

    iptables -I FORWARD 1 -s -j REJECT
    iptables -I INPUT 1 -s -j REJECT
    iptables -I OUTPUT 1 -s -j REJECT
    echo -e "Content-type: text/plain\n\n"
    echo -e "Lock done"

    And a same script to unlock. Pretty simple.

    I want to create that on PFSENSE. As said i want to create a page like http://<pfdns>:XX/block.php and http://<pfdns>:XX/unlock.php
    If i understand the way pf works i have to add

    block out quick from to any label "lock"

    And delete that rule to unlock.

    I made an Shell exec of

    cat 'block out quick from to any label "lock"' | pfctl -f - 

    But all rules of the pfsense are deleted this way.  :o

    An other formulation is: how can I add rule to pf without touching pf rules and just with a Shell (i dont want to use the GUI) ?

    A way I read on a forum is to add a table and block it :

    table <foo>persist
    block quick from</foo> 

    And then shell execute :

    pfctl -t foo -T add 

    But I do not find how to add the 2 lines on the Pfrules ! The GUI doesn't have and expert mode to directly add pf rules ?

    All help is greatly appreciated.</pfdns></pfdns></pfdns></pfdns>

  • Ok, by reverse engennering i found the way pfsense builds his firewall rules.

    I a going to change the script who builds the /tmp/rules.debug : it's /etc/inc/filter.inc.

    I add these kind of rules at the good position :
    table <badguys>persist
    block quick from <badguys>And then i can control the lock of ip's badguys with
    pfctl -t badguys -T add 10.x.x.x
    pfctl -t badguys -T show
    pfctl -t badguys -T delete 10.x.x.x

    I am going to post here if it works after some tests and integration work.</badguys></badguys>

  • Doh, i think this is what i want to do too.
    Let's say we have cabinet of PC's and one admin machine. I want an on-demand firewall change from the admin-pc, to allow the admin-pc out but limit the others.
    I wanna do that with the PHPservice package, which will watch a DB for change, and then change the filter rules.
    But how…

  • Ok here is what I used. But file and procedure is in french… but a give a quick howto HERE.

    PM me if someone is interested and doesn't understand everything.

    First you need a "table" which will contain the IP list.

    edit /etc/inc/filter.inc

    #SSH Lockout Table
    table <sshlockout> persist</sshlockout>


    table <stations>persist</stations> 

    Then you need the filter rule for the "stations" table.

    edit /etc/inc/filter.inc

            /* optional interfaces */
            $optcfg = array();
    ----> ADD HERE !!  <----
            if (is_package_installed('squid') && file_exists('/usr/local/pkg/squid.inc')) {


    /* Internet LOCKING */
    $ipfrules .= "\n#Block internet on some workstations\n
    block quick from <stations>\n\n";</stations>

    Save file and reload filter from web manager pages.

    Do an ls -lt in the /tmp folder to see if rules.debug is correctly generated.
    You can cat the file and grep it to see if the text you added is correctly added and at the good place.

    You can now manage it with:

    pfctl -t stations -T add 10.x.x.x
    pfctl -t stations -T show
    pfctl -t stations -T delete 10.x.x.x

    Then add some php scripts in a folder in :

    Code it and add youself authentification system in these webpage.

    Exemple: file /usr/local/www/stationlocking/station-lock-10range.php

    $username = "scott";
    $password = "tiger";
    if (!isset($_SERVER['PHP_AUTH_USER']) || !isset($_SERVER['PHP_AUTH_PW'])) {
    	header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
    	header("HTTP/1.0 401 Unauthorized");
    	echo "NOT ALLOWED";
    else {
    	if($_SERVER['PHP_AUTH_USER'] == $username && $_SERVER['PHP_AUTH_PW'] == $password) {
    	else {
    		header("WWW-Authenticate: Basic realm=\"BOSS ACCESS\"");
    		header("HTTP/1.0 401 Unauthorized");
    		echo "NOT ALLOWED";
    system ( 'pfctl -t stations -T add' );
    system ( 'pfctl -t salles -T add' );
    ### DONE LOCKED FOR and

    Now by browsing http://pfsense/stationlocking/station-lock-10range.php and giving good credential you can block

    Script to unlock is the same but with delete instead of add. And you can use status to get status (i didnt code status maybe you will need to use passthru instead of system).

Log in to reply