Port forwarding works great. Need help updating firewall alias based on event



  • Using 2.1-BETA1 (i386) built on Thu Mar 21 04:30:58 EDT 2013 FreeBSD 8.3-RELEASE-p6 to establish OpenVPN tunnel to VPN server. It works like a charm, including a static port forwarding nat/rule. I am attempting to update the static firewall nat/rule based on an external event. Have an alias defined for the  HOSTIP and HOSTPORT. The value of HOSTPORT depends on the external event.

    The following script fragment shows how I intend to update the firewall. Is this the correct approach or am I off the rails?

    I'm not certain if "pfctl -f" will merge with existing rules or instead do something I don't expect. The HOSTPORT does not have to persist in the pfSense database (I can retrieve its value at any time from the external source).

    
    #
    # Update pf port forwarding:
    #     $VPN_PORT (in): Port allocated by VPN server to be forwarded to host.
    #     $CONF (in): Config file with OpenVPN "interface" macro name. 
    #
    PFPORT=`pfctl -s nat | grep -oE "port[ ]+=[ ]+$VPN_PORT"`
    PFINTERFACE=`awk "/^interface/ {print \\$2}" $CONF`
    if [ ! -z "$PFPORT" ]; then
        logger "vpn[43]: VPN port for $PFINTERFACE has not changed. Not updating firewall rules."
        exit 0
    fi
    grep "^$PFINTERFACE" /tmp/rules.debug > /tmp/update.debug
    echo "HOSTPORT = \"{ $VPN_PORT }\"" >> /tmp/update.debug
    grep "HOSTIP" /tmp/rules.debug >> /tmp/update.debug
    pfctl -f /tmp/update.debug
    
    exit 0
    
    


  • I'm no coder, but you might be able to borrow some stuff off pfBlocker?


Log in to reply