Remote firewall rule creation?
-
Hi there, I am tryinng to automate firewall rules creation/deletion.
My situation:
Im using Pfsense with gameservers behind.
The gameservers themselfes have a ban mechanism wich dont work in some cases.
This gameservers are logging in a Mysql Database Backend, i can find my "candidate" IPs with a simple query.
Every day i must put now the IPs that i get from this query inside Pfsense.Now I decided that enough is enough.
Id like to automate this process.
First, cause im kinda lazy. Second effect would be immideate effective banning.My Ideas:
Sure, theres allready a great remote control: The web interface.
What u think about the idea to pimp firewall_rules_edit.php?
On the gameserver side, WGet could be a nice client, doing the auth.
Secured by ssl, for those that need it.PS.
Ah, i searched the board/web and couldnt find anything about this topic.
If theres some allready existing: sry for disturbing, thx for link!
If anyone has an alternate idea/way to archive it: Youre wellcome! -
You can use curl to script such a thing, like to update an alias of those IPs.
-
CURL is a nice idea, thanks.
It seem to offer way more Functionality then WGET downloder.
Hmm…
With curl i could simply fill the Form Fields. Tomorrow dark master will spam u all :)
And its available even from PHP.
Sounds like fun to me!Inbetween i looked the firewall_rules_edit.php.
It should be no bigger problem to exchange all those form field set variables with hard coded ones.
i just need the source IP/Range to be set.Ill try that next days and give Feedback here.
-
Even better: write a simple php/other language app that will grab the IPs from the DB and present them as a list (one per line)
Install the URL table package and add a URL table alias that points to that web app created above, set the value for updating to "1" (the box that is usually the CIDR drop-down)
Add a rule to block from that alias.
Add a cron job (via the cron package) to run the URL table update script (/etc/rc.update_urltables) every night.
Ignore it and let it do its thing :-)
-
The thing is, that those guys do very lame things that destroy the game totally.
(like killing people in own team, running insulting scripts in loops)
10 Minutes with those guys will make some soft pie from ur Brain, i swear.So I need the Machine very asap, im planning to run that query on every client connect through a SQL trigger…
Anyways, i must wait till the weekend, then i go try more. Thanx for your Idea. -
You could update it more frequently, but you'd have to edit the code from the package to make it trigger more often.
-
hm, i want to try triggering "external".
that external side is the gameserver with its management bot.
it has a database driven backend, theres a bunch of machines integrated within the gameserver (forums, ircbot, admin backend, mumble voip and much more)
everything work in real time, i wanna stay with that concept as much as possible.
were a bunch of gamers, we are used to have it real time, we still cant wait for… lets say... uhm... 20 Milliseconds is ok.the server is one of the biggest of its kind, throgh that its a lamer magnet.
my query shows me ca. 15 such cases per day, maybe 1-2 really make probs by insulting players. we have 50 Slots and ~1500 unique users every day.
when we ban them, they are back in 1 second, loughing @ us and continuing teh swear orgy.
a schedule would have to be very frequent.ah, the game is quake3, the mod is urban terror, the Forums is @ www.dswp.de/old. urban terror is free to download, if u wanna test: www.urbanterror.net
the database backend is driven by B3 (www.bigbrotherbot.com)when i alter now the rule creator so i can give it a
http(s)://user:pwd@LANIP/fu.php?banip=666.666.666.666
im pretty served and happy.
a little floody loop could make the thing perfect.
but im a grown up guy that knows to handle his anger by doing autosuggestion. -
If you must trigger it remotely, install the dashboard package and look at the Easy Rule code. It can already add arbitrary hosts to an alias in a block rule by a GET request like that.
No need to reinvent the wheel.
-
uiiii wow dashboard!
omg thats oho fancy yeah nice piece of work jeeehesusmaria congratiolations!
bill gates looks pale infront of this and steve jobs admits his bad design!where i can find this easy rule code?
i dont understand by the way what/how this masterpiece of gui can do for me…hm, did i say i want to wait till weekend with my hobby?
it was a lie hmhm ^^ -
On the filter logs (Status > System Logs, Firewall tab), there are little green and red + buttons by the source and destination hosts.
Those will link to the easyrule code for adding and deleting a rule for that IP, you can see how it would work that way.
-
hm, now i just thought myself:
why should i install dashboard when i go after in firewall logs (which existed before anyways)–> firewall log is pimped after dashboard install, theres new block/pass icons on all entries:
oki so the rest is really easy. this 1 does the job:
wget --spider "http://username:password@192.168.XXX.YYY/easyrule.php?action=block&int=wan&src=2.3.4.5"rules will be active immediately, no need to "apply-button" it…
little btw: blocks dont seem to worx with icmp pingeling (i tried that first...)
to close this topic in a short:
pfsense once again helped me out from a crappy situation.
thx for your support, this time u saved hundreds gamerkiddies from heart infaction! ::) :o :( >:( ...... :D
-
The ICMP (and many other) bugs are fixed in 2.0 where I pulled that code from.
I just included the easyrule code in the dashboard package because the dashboard package needed the updated log parser for the firewall logs widget to work properly. :-)
-
Ah apropos protocols…
Now im having the Problem that just TCP Traffic seems to be blocked, Gameservers allways use UDP.
Is there some hope for me before/without 2.0?Thx to a friend I got btw the mysql lib compiled which will shoot system() from mysql @ my command line.
(an altered lib_mysqludf_sys where the execution is hardcoded to 1 certain script)
If someone needs hint/help/instructions for that, plz PM.Look:
-
the issues Jim mentioned are only cosmetic. If you're blocking traffic aside from the normal out of state traffic, your rules are wrong.
-
hm, i made screens again, the rule is one of the most simple i can guess….
can u spot the wrong setting?
the rule is btw
-auto-created by dashboard and was
-moved up in the rule order later manually by me.and http gets really blocked...
####EDIT#1#####
i think it was an existing state.
how could i kill those too?Yeeeeah, its dead and it was killed by a MYSQL möppel!
####EDIT#2#####
@jimp:
im trying now the next: adding subnets.
since im from europe, only ripe ranges are interesting through u need low latency in gamng (which makes it possible for me to get subnet info easily)
they have some REST API, u can test it here:
http://lab.db.ripe.net/whois/search?source=ripe&query-string=83.141.4.230
a friend already helped out with a little PHP script that can translate an ip range from ripe style (like peer2guaridan "1.2.3.4 - 2.3.4.5") to cdir notation. (is attached for those who like...)
Here u can test urself...
http://www.dswp.de/IPRangeConvert.php?ip=83.141.4.230 (if no IP is passed, it will take ur ClientIP...)
Now i would like to add this functionality to easyrule.php
Do u have any sugestions for me?
