Configure PFsense firewall from CLI



  • I am looking into the possibility of configuring pfsense from the cli.  I am wondering if this is possible.  I haven't even been able to figure out what software is responsible for providing the firewall as "ipfw list" produces a socket error.  Thank you in advance for your help!


  • Rebel Alliance Developer Netgate

    pf is used for the firewall rules, but there is not currently an automated way to fully manage the rules from the CLI. The rules are stored in the config.xml and not directly in any ruleset file (e.g. pf.conf)

    What are you trying to accomplish?



  • In the event I need to create a rule while on the road.  My blackberry can sustain an ssh connection to the pfsense box so that I am able to modify rules while on the road.  I know it is possible to remotely administer through http however it is a bit cumbersome on the blackberry's small screen.


  • Rebel Alliance Developer Netgate

    Ah. In 2.0 I have a simple CLI program to add a quick pass or block rule, but only within a limited scope. I have not put this into a 1.2.3 package, though.

    # easyrule 
    usage:
     Blocking only requires an IP to block
         easyrule block <interface><source ip="">
    
     Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
         easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]
    
     Block example:
         easyrule block wan 1.2.3.4
    
     Pass example (protocol with port):
         easyrule pass wan tcp 1.2.3.4 192.168.0.4 80
    
     Block example (protocol without port):
         easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface> 
    


  • hmmm.  I am running 1.2.3…. Is the program written in a scripting language or compiled?  I'd love to have a look at the source, if you didn't mind.


  • Rebel Alliance Developer Netgate

    It's just PHP. It's in the pfSense code repo, it's part of 2.0.


Locked