Writing your own firewall rules ( NOT from webgui, by hand ) …is it possible ?

  • First up, does pfsense support this feature ? . ;D
    .. writing your own firewall rules by hand ?
    ie .. edit the related file and let pfsense apply straight away.

    I have no clue how pfsense applies its configuration at run-time. But most the configuration
    set from GUI is saved to /conf/config.xml .. or is it /cf/conf/config.xml ?

    The other closest thing that I can find is /tmp/rules.debug which are in this format :
    block in log quick all label "Default block all just to be sure."
    But editing that file doesn't really seem to affect pfsense at run-time at all.

    What I'm about to do is related to this post about activating GIF interface in pfsense :

    Yes, I have tried this and apparently it works
    ( tcpdump -i gif0 shows that there are packets coming in from the other tunnel that I have set )

    HOWEVER !,  Syslog firewall reports a block in this form :
    Apr 17 05:03:29  GIF0  TCP
    which is the default behaviour defined by this rule :
    block in log quick all label "Default block all just to be sure."

    LAN and WAN interfaces's firewall rule are disabled: granted all access to/from these interfaces.

    What I want to do, essentially, is to let IP packets comes in/out gif interface which administration
    is not supported by pfsense web gui but available under FreeBSD. So I'm thinking how can I
    edit pfsense's configuration by hand

    Thanks a lot

  • The rules.debug is dynamically regenerated and reloaded when needed (on rulesetchanges, on bootup, on loadbalancer statuschanges, …) and therefore your changes won't stay for very long. What you try to do ist not really supported.

Log in to reply