Remote Firewall States Drop



  • Hi there, i had a Topic where i try to create firewall rules remotely.
    One question was still open, it was howto kill exsiting States, remote again.
    Cause after AliasList Update, theres the need to kill existing connections.

    Heres the old Topic, its locked:
    http://forum.pfsense.org/index.php/topic,27134.msg141359.html
    My Configuration: Pfsense 1.23 as a VmWare Server2 VM, having 2NIC, 512Ram and 2Cores.

    …And heres my personal find  XD

    --> copied with love from ./diag_dump_states.php

    
    /* handle AJAX operations */
    if($_GET['action']) {
    	if($_GET['action'] == "remove") {
    		$srcip  = $_GET['srcip'];
    		$dstip  = $_GET['dstip'];
    		if (is_ipaddr($srcip) and is_ipaddr($dstip)) {
    			$retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'");
    			echo htmlentities("|{$srcip}|{$dstip}|{$retval}|");
    		} else {
    			echo "invalid input";
    		}
    		exit;
    	}
    }
    
    

    So im sending this via teh php, it worx! (yeah)

    
    file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=".$row['ip']."&dstip=192.168.x.z");
    file_get_contents("http://user:******@192.168.x.y/diag_dump_states.php?action=remove&srcip=192.168.x.z&dstip=".$row['ip']);
    
    

    (wget –spider is another option to shoot that REST interface...)

    IMPORTANT: Let 10-30 Seconds time after FW Entry insertion.
    Else States might be re- established.
    I Myself go loop 30 sec. with a sleep()

    This Configuration enables the Servers (behind NAT) to throw out specified hosts.
    I think that the future Firewall will look pretty much like that:
    Server behind cries for help, Filter serves...

    Thx for the great work, thx for doing it in PHP.
    I reached m goal with PfSense, again.


Log in to reply