Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    "EasyRule" Add rule from console?

    Scheduled Pinned Locked Moved Firewalling
    12 Posts 6 Posters 16.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Briantist
      last edited by

      In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

      1 Reply Last reply Reply Quote 0
      • J
        Joolee
        last edited by

        If your looking for a way to allow web interface access from WAN, you could use the "Developer Shell" (previously called PHP Shell) and use "replay enableallowallfromwan" (re-check the commands cause I wrote from memory)

        1 Reply Last reply Reply Quote 0
        • B
          Briantist
          last edited by

          Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

          1 Reply Last reply Reply Quote 0
          • mudmanc4M
            mudmanc4
            last edited by

            @Briantist:

            Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

            Once you set up the OPTional network preferences (  static IP , DHCP , IP Range ect )  , you'll be able to log into the web interface through the specified IP.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              What might help you:
              http://doc.pfsense.com/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • B
                Briantist
                last edited by

                mudman, what you described won't work because the firewall will block the traffic.

                Gruens, that is helpful (and I've already worked around this issue by just buckling down and using the LAN interface), but I'm still curious about this. The feature of setting firewall rules from the console has been in the new for 2.0 list since before the release, if I recall, and it would be great to know how to use it!

                1 Reply Last reply Reply Quote 0
                • P
                  podilarius
                  last edited by

                  @Briantist:

                  mudman, what you described won't work because the firewall will block the traffic.

                  This is not correct. Once you create and assign an ip the web gui anti lockout should take effect and you will be able to login to the gui from the opt subnet. internet will not be possible nor will getting to other LAN you might have setup until after a rule is created. The only way for this to be true is if the lockout is disabled in the advanced options.

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    Lockout only applies to the LAN interface.

                    What briantist is trying, is to get access via an OPT interface.

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • B
                      Briantist
                      last edited by

                      @GruensFroeschli:

                      Lockout only applies to the LAN interface.

                      What briantist is trying, is to get access via an OPT interface.

                      Yes, this. It's on a brand new installation, so the anti-lockout rule is in effect, but as Gruens pointed out it applies only to the LAN interface.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        @Briantist:

                        In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

                        The (appropriately named) easyrule command from the shell. :-)

                        : easyrule 
                        usage:
                         Blocking only requires an IP to block
                             easyrule block <interface><source ip="">
                        
                         Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
                             easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]
                        
                         Block example:
                             easyrule block wan 1.2.3.4
                        
                         Pass example (protocol with port):
                             easyrule pass wan tcp 1.2.3.4 192.168.0.4 80
                        
                         Block example (protocol without port):
                             easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface> 
                        

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • B
                          Briantist
                          last edited by

                          @jimp:

                          @Briantist:

                          In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

                          The (appropriately named) easyrule command from the shell. :-)

                          : easyrule 
                          usage:
                           Blocking only requires an IP to block
                               easyrule block <interface><source ip="">
                          
                           Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
                               easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]
                          
                           Block example:
                               easyrule block wan 1.2.3.4
                          
                           Pass example (protocol with port):
                               easyrule pass wan tcp 1.2.3.4 192.168.0.4 80
                          
                           Block example (protocol without port):
                               easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface> 
                          

                          Very nice! If this is already in the available documentation, then I think it's difficult to find. If not it should be added!

                          Thanks Jim.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            I tossed a page on the wiki for it just now:

                            http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.