Port forwarding works great. Need help updating firewall alias based on event
-
Using 2.1-BETA1 (i386) built on Thu Mar 21 04:30:58 EDT 2013 FreeBSD 8.3-RELEASE-p6 to establish OpenVPN tunnel to VPN server. It works like a charm, including a static port forwarding nat/rule. I am attempting to update the static firewall nat/rule based on an external event. Have an alias defined for the HOSTIP and HOSTPORT. The value of HOSTPORT depends on the external event.
The following script fragment shows how I intend to update the firewall. Is this the correct approach or am I off the rails?
I'm not certain if "pfctl -f" will merge with existing rules or instead do something I don't expect. The HOSTPORT does not have to persist in the pfSense database (I can retrieve its value at any time from the external source).
# # Update pf port forwarding: # $VPN_PORT (in): Port allocated by VPN server to be forwarded to host. # $CONF (in): Config file with OpenVPN "interface" macro name. # PFPORT=`pfctl -s nat | grep -oE "port[ ]+=[ ]+$VPN_PORT"` PFINTERFACE=`awk "/^interface/ {print \\$2}" $CONF` if [ ! -z "$PFPORT" ]; then logger "vpn[43]: VPN port for $PFINTERFACE has not changed. Not updating firewall rules." exit 0 fi grep "^$PFINTERFACE" /tmp/rules.debug > /tmp/update.debug echo "HOSTPORT = \"{ $VPN_PORT }\"" >> /tmp/update.debug grep "HOSTIP" /tmp/rules.debug >> /tmp/update.debug pfctl -f /tmp/update.debug exit 0 -
I'm no coder, but you might be able to borrow some stuff off pfBlocker?