4. "EasyRule" Add rule from console?

"EasyRule" Add rule from console?

  • B

    In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

    0
  • J

    If your looking for a way to allow web interface access from WAN, you could use the "Developer Shell" (previously called PHP Shell) and use "replay enableallowallfromwan" (re-check the commands cause I wrote from memory)

    0
  • B

    Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

    0
  • M

    @Briantist:

    Close, I was actually looking for a way to allow access to the web interface on a new installation from an OPT interface from the console.

    Once you set up the OPTional network preferences (  static IP , DHCP , IP Range ect )  , you'll be able to log into the web interface through the specified IP.

    0

  • What might help you:
    http://doc.pfsense.com/index.php/I_locked_myself_out_of_the_WebGUI,_help!#Remotely_Circumvent_Firewall_Lockout_by_Temporarily_Changing_the_Firewall_Rules

    0
  • B

    mudman, what you described won't work because the firewall will block the traffic.

    Gruens, that is helpful (and I've already worked around this issue by just buckling down and using the LAN interface), but I'm still curious about this. The feature of setting firewall rules from the console has been in the new for 2.0 list since before the release, if I recall, and it would be great to know how to use it!

    0
  • P

    @Briantist:

    mudman, what you described won't work because the firewall will block the traffic.

    This is not correct. Once you create and assign an ip the web gui anti lockout should take effect and you will be able to login to the gui from the opt subnet. internet will not be possible nor will getting to other LAN you might have setup until after a rule is created. The only way for this to be true is if the lockout is disabled in the advanced options.

    0

  • Lockout only applies to the LAN interface.

    What briantist is trying, is to get access via an OPT interface.

    0
  • B

    @GruensFroeschli:

    Lockout only applies to the LAN interface.

    What briantist is trying, is to get access via an OPT interface.

    Yes, this. It's on a brand new installation, so the anti-lockout rule is in effect, but as Gruens pointed out it applies only to the LAN interface.

    0
  • Rebel Alliance Developer Netgate

    @Briantist:

    In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

    The (appropriately named) easyrule command from the shell. :-)

    : easyrule 
usage:
 Blocking only requires an IP to block
     easyrule block <interface><source ip="">

 Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
     easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]

 Block example:
     easyrule block wan 1.2.3.4

 Pass example (protocol with port):
     easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

 Block example (protocol without port):
     easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface>
    0
  • B

    @jimp:

    @Briantist:

    In the list of new features in 2.0, it says you can add firewall rules from the console. I don't see this in the console menu. Is it something that has to be done from the shell? Is there documentation anywhere for it? I can't find anything in the wiki or the forum. My apologies if I missed it.

    The (appropriately named) easyrule command from the shell. :-)

    : easyrule 
usage:
 Blocking only requires an IP to block
     easyrule block <interface><source ip="">

 Passing requires more detail, as it must be as specific as possible. The destination port is optional if you're using a protocol without a port (e.g. ICMP, OSPF, etc).
     easyrule pass <interface><protocol><source ip=""> <destination ip="">[destination port]

 Block example:
     easyrule block wan 1.2.3.4

 Pass example (protocol with port):
     easyrule pass wan tcp 1.2.3.4 192.168.0.4 80

 Block example (protocol without port):
     easyrule pass wan icmp 1.2.3.4 192.168.0.4</destination></protocol></interface></interface>

    Very nice! If this is already in the available documentation, then I think it's difficult to find. If not it should be added!

    Thanks Jim.

    0
  • Rebel Alliance Developer Netgate

    I tossed a page on the wiki for it just now:

    http://doc.pfsense.org/index.php/Adding_Rules_With_easyrule

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy