"EasyRule" Add rule from console?

Briantist

In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

Joolee

If your looking for a way to allow web interface access from WAN, you could use the "Developer Shell" (previously called PHP Shell) and use "replay enableallowallfromwan" (re-check the commands cause I wrote from memory)

Briantist

Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

mudmanc4

@Briantist:

Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

Once you set up the OPTional network preferences (  static IP , DHCP , IP Range ect )  , you'll be able to log into the web interface through the specified IP.

GruensFroeschli

What might help you:
http://doc.pfsense.com/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

Briantist

mudman, what you described won't work because the firewall will block the traffic.

Gruens, that is helpful (and I've already worked around this issue by just buckling down and using the LAN interface), but I'm still curious about this. The feature of setting firewall rules from the console has been in the new for 2.0 list since before the release, if I recall, and it would be great to know how to use it!

podilarius

@Briantist:

mudman, what you described won't work because the firewall will block the traffic.

This is not correct. Once you create and assign an ip the web gui anti lockout should take effect and you will be able to login to the gui from the opt subnet. internet will not be possible nor will getting to other LAN you might have setup until after a rule is created. The only way for this to be true is if the lockout is disabled in the advanced options.

GruensFroeschli

Lockout only applies to the LAN interface.

What briantist is trying, is to get access via an OPT interface.

Briantist

@GruensFroeschli:

Lockout only applies to the LAN interface.

What briantist is trying, is to get access via an OPT interface.

Yes, this. It's on a brand new installation, so the anti-lockout rule is in effect, but as Gruens pointed out it applies only to the LAN interface.

jimp

@Briantist:

In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

The (appropriately named) easyrule command from the shell. :-)

: easyrule 
usage:
 Blocking only requires an IP to block
     easyrule block <interface><source ip="">

 Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
     easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]

 Block example:
     easyrule block wan 1.2.3.4

 Pass example (protocol with port):
     easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

 Block example (protocol without port):
     easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface> 

Briantist

@jimp:

@Briantist:

In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

The (appropriately named) easyrule command from the shell. :-)

: easyrule 
usage:
 Blocking only requires an IP to block
     easyrule block <interface><source ip="">

 Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
     easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]

 Block example:
     easyrule block wan 1.2.3.4

 Pass example (protocol with port):
     easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

 Block example (protocol without port):
     easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface> 

Very nice! If this is already in the available documentation, then I think it's difficult to find. If not it should be added!

Thanks Jim.

jimp

I tossed a page on the wiki for it just now:

http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule