Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Remote firewall rule creation?

    Scheduled Pinned Locked Moved Firewalling
    15 Posts 3 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wurst
      last edited by

      Hi there, I am tryinng to automate firewall rules creation/deletion.

      My situation:
      Im using Pfsense with gameservers behind.
      The gameservers themselfes have a ban mechanism wich dont work in some cases.
      This gameservers are logging in a Mysql Database Backend, i can find my "candidate" IPs with a simple query.
      Every day i must put now the IPs that i get from this query inside Pfsense.

      Now I decided that enough is enough.
      Id like to automate this process.
      First, cause im kinda lazy. Second effect would be immideate effective banning.

      My Ideas:
      Sure, theres allready a great remote control: The web interface.
      What u think about the idea to pimp firewall_rules_edit.php?
      On the gameserver side, WGet could be a nice client, doing the auth.
      Secured by ssl, for those that need it.

      PS.
      Ah, i searched the board/web and couldnt find anything about this topic.
      If theres some allready existing: sry for disturbing, thx for link!
      If anyone has an alternate idea/way to archive it: Youre wellcome!

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You can use curl to script such a thing, like to update an alias of those IPs.

        1 Reply Last reply Reply Quote 0
        • W
          wurst
          last edited by

          CURL is a nice idea, thanks.
          It seem to offer way more Functionality then WGET downloder.
          Hmm…
          With curl i could simply fill the Form Fields. Tomorrow dark master will spam u all :)
          And its available even from PHP.
          Sounds like fun to me!

          Inbetween i looked the firewall_rules_edit.php.
          It should be no bigger problem to exchange all those form field set variables with hard coded ones.
          i just need the source IP/Range to be set.

          Ill try that next days and give Feedback here.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Even better: write a simple php/other language app that will grab the IPs from the DB and present them as a list (one per line)

            Install the URL table package and add a URL table alias that points to that web app created above, set the value for updating to "1" (the box that is usually the CIDR drop-down)

            Add a rule to block from that alias.

            Add a cron job (via the cron package) to run the URL table update script (/etc/rc.update_urltables) every night.

            Ignore it and let it do its thing :-)

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • W
              wurst
              last edited by

              The thing is, that those guys do very lame things that destroy the game totally.
              (like killing people in own team, running insulting scripts in loops)
              10 Minutes with those guys will make some soft pie from ur Brain, i swear.

              So I need the Machine very asap, im planning to run that query on every client connect through a SQL trigger…
              Anyways, i must wait till the weekend, then i go try more. Thanx for your Idea.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                You could update it more frequently, but you'd have to edit the code from the package to make it trigger more often.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • W
                  wurst
                  last edited by

                  hm, i want to try triggering "external".

                  that external side is the gameserver with its management bot.
                  it has a database driven backend, theres a bunch of machines integrated within the gameserver (forums, ircbot, admin backend, mumble voip and much more)
                  everything work in real time, i wanna stay with that concept as much as possible.
                  were a bunch of gamers, we are used to have it real time, we still cant wait for… lets say... uhm... 20 Milliseconds is ok.

                  the server is one of the biggest of its kind, throgh that its a lamer magnet.
                  my query shows me ca. 15 such cases per day, maybe 1-2 really make probs by insulting players. we have 50 Slots and ~1500 unique users every day.
                  when we ban them, they are back in 1 second, loughing @ us and continuing teh swear orgy.
                  a schedule would have to be very frequent.

                  ah, the game is quake3, the mod is urban terror, the Forums is @ www.dswp.de/old. urban terror is free to download, if u wanna test: www.urbanterror.net
                  the database backend is driven by B3 (www.bigbrotherbot.com)

                  when i alter now the rule creator so i can give it a
                  http(s)://user:pwd@LANIP/fu.php?banip=666.666.666.666
                  im pretty served and happy.
                  a little floody loop could make the thing perfect.
                  but im a grown up guy that knows to handle his anger by doing autosuggestion.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    If you must trigger it remotely, install the dashboard package and look at the Easy Rule code. It can already add arbitrary hosts to an alias in a block rule by a GET request like that.

                    No need to reinvent the wheel.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • W
                      wurst
                      last edited by

                      uiiii wow dashboard!
                      omg thats oho fancy yeah nice piece of work jeeehesusmaria congratiolations!
                      bill gates looks pale infront of this and steve jobs admits his bad design!

                      where i can find this easy rule code?
                      i dont understand by the way what/how this masterpiece of gui can do for me…

                      hm, did i say i want to wait till weekend with my hobby?
                      it was a lie hmhm ^^

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        On the filter logs (Status > System Logs, Firewall tab), there are little green and red + buttons by the source and destination hosts.

                        Those will link to the easyrule code for adding and deleting a rule for that IP, you can see how it would work that way.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • W
                          wurst
                          last edited by

                          hm, now i just thought myself:
                          why should i install dashboard when i go after in firewall logs (which existed before anyways)

                          –> firewall log is pimped after dashboard install, theres new block/pass icons on all entries:

                          oki so the rest is really easy. this 1 does the job:

                          wget --spider "http://username:password@192.168.XXX.YYY/easyrule.php?action=block&int=wan&src=2.3.4.5"
                          

                          rules will be active immediately, no need to "apply-button" it…

                          little btw: blocks dont seem to worx with icmp pingeling (i tried that first...)

                          to close this topic in a short:
                          pfsense once again helped me out from a crappy situation.
                          thx for your support, this time u saved hundreds gamerkiddies from heart infaction!  ::) :o :( >:(  ...... :D

                          huhu.png
                          huhu.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            The ICMP (and many other) bugs are fixed in 2.0 where I pulled that code from.

                            I just included the easyrule code in the dashboard package because the dashboard package needed the updated log parser for the firewall logs widget to work properly. :-)

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • W
                              wurst
                              last edited by

                              Ah apropos protocols…
                              Now im having the Problem that just TCP Traffic seems to be blocked, Gameservers allways use UDP.
                              Is there some hope for me before/without 2.0?

                              Thx to a friend I got btw the mysql lib compiled which will shoot system() from mysql @ my command line.
                              (an altered lib_mysqludf_sys where the execution is hardcoded to 1 certain script)
                              If someone needs hint/help/instructions for that, plz PM.

                              Look:

                              remote_firewall2.png
                              remote_firewall2.png_thumb
                              remote_firewall.png_thumb
                              remote_firewall.png

                              1 Reply Last reply Reply Quote 0
                              • C
                                cmb
                                last edited by

                                the issues Jim mentioned are only cosmetic. If you're blocking traffic aside from the normal out of state traffic, your rules are wrong.

                                1 Reply Last reply Reply Quote 0
                                • W
                                  wurst
                                  last edited by

                                  hm, i made screens again, the rule is one of the most simple i can guess….
                                  can u spot the wrong setting?
                                  the rule is btw
                                  -auto-created by dashboard and was
                                  -moved up in the rule order later manually by me.

                                  and http gets really blocked...

                                  ####EDIT#1#####

                                  i think it was an existing state.
                                  how could i kill those too?

                                  Yeeeeah, its dead and it was killed by a MYSQL möppel!

                                  ####EDIT#2#####

                                  @jimp:
                                  im trying now the next: adding subnets.
                                  since im from europe, only ripe ranges are interesting through u need low latency in gamng (which makes it possible for me to get subnet info easily)
                                  they have some REST API, u can test it here:
                                  http://lab.db.ripe.net/whois/search?source=ripe&query-string=83.141.4.230
                                  a friend already helped out with a little PHP script that can translate an ip range from ripe style (like peer2guaridan "1.2.3.4 - 2.3.4.5") to cdir notation. (is attached for those who like...)
                                  Here u can test urself...
                                  http://www.dswp.de/IPRangeConvert.php?ip=83.141.4.230 (if no IP is passed, it will take ur ClientIP...)
                                  Now i would like to add this functionality to easyrule.php
                                  Do u have any sugestions for me?

                                  remote_firewall3.png
                                  remote_firewall3.png_thumb
                                  remote_firewall4.png
                                  remote_firewall4.png_thumb
                                  IPRangeConvert.php.txt

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.