Enable/disable existing rule via script

  • Hello,

    I want to enable/disable an existing rule via a ssh script. Is this possible  ?


  • Netgate Administrator

    A firewall rule?
    This should be possible by calling the appropriate php script. Though I don't know what that is!  ;)
    I would experiment using the php shell until I knew what the config command is then find out how to execute that from a script.

    Unfortunately it looks like you have to know which rule it is by number. It's not something I have ever tried to do before but for example:

    pfSense shell: global $config;
    pfSense shell: parse_config(true);
    pfSense shell: print_r($config['filter']['rule']['3']);
    pfSense shell: exec
        [id] =>
        [type] => pass
        [interface] => lan
        [tag] =>
        [tagged] =>
        [max] =>
        [max-src-nodes] =>
        [max-src-conn] =>
        [max-src-states] =>
        [statetimeout] =>
        [statetype] => keep state
        [os] =>
        [source] => Array
                [address] =>
        [destination] => Array
                [any] =>
        [descr] => Loadbalancing Toshiba Laptop
        [gateway] => LoadBalance
        [disabled] =>

    The above rule, rule 3, is disabled. Rules that are not disabled don't have that property in the config. You can then re-enable it like so:

    pfSense shell: global $config;
    pfSense shell: parse_config(true);
    pfSense shell: $config['filter']['rule']['3']['disabled'] = false;
    pfSense shell: write_config();
    pfSense shell: exec

    Or disable it again:

    pfSense shell: global $config;
    pfSense shell: parse_config(true);
    pfSense shell: $config['filter']['rule']['3']['disabled'] = true;
    pfSense shell: write_config();
    pfSense shell: exec

    If you use the recording feature you can make some php shell scripts out of those which you can then playback from any script. E.g.

    pfSsh.php playback enablerule3

    You may have to reload the firewall rules somewhere in there for it to take effect. I just made most of that up as I went along but it seems to work OK!  ;)


    Edit: Hmm, looking at the example scripts in /etc/phpshellsessions it looks as though it maybe more complex than this. Maybe not!
    Also it looks like you would have to reload the firewall filters with:

  • hi, thank you for your information.

    i figured it out that it is firewall_rules.php?if=lan&act=toggle&id=10
    the id and code can you see in the status bar if you do a mouse over in the first column in the rule-list to toggle the rule.

    i miss now the appropriate php script to "apply changes". But i didn't find this one.
    status_filter_reload.php does not work. Any ideas ?

    i did a grep on filter_configure_sync, but to no avail.


  • following code does the trick

    /* invalidate interface cache */
    $retval = 0;
                    $retval = filter_configure();
                    echo "The settings have been applied. The firewall rules are now reloading in the background.