4. Changing firewall rules on the fly

Changing firewall rules on the fly

  • M

    I have several openvpn clients on m pfsense box that have endpoints at various places around the world, m ainly to get around geoblocking. There are several other people in the household that use this feature as well.

    The current method to change the gateway is simply go into the relevant firewall rule and change the gateway. This is too complex for some people to do!

    At this stage what I would like is to be able to change this running a script that takes some arguments. (IP, endpoint, etc) and hopefully create a page on the pfsense box to make it even easier.

    My current rule that I want to change is this:

    pass in quick on dc0 route-to (ovpnc3 10.195.1.5) inet from 10.0.0.101 to any flags S/SA keep state

    where 10.0.0.101 is my windows system and change it to ovpnc2.

    How would I go about this in CLI? Are there better options?

    0
  • R

    Can you make the value you want to change an alias? If so, it's fairly easy to change… You can change the value of a URL alias by doing three things.
    1.) Change the file the URL points to
    2.) Change the file that is used to load the pfctl rules
    3.) Reload the pfctl rule

    You need to do both 1 and 2 because pfSense occasionally does the update via a cron job (/usr/bin/nice -n20 /etc/rc.update_urltables). If you don't do both, it will overwrite your change.

    The following shell code will do it.

    
tbl_name=your_alias_name
new_alias_file=/some_directory/some_file
www_alias_file=/usr/local/www/some_directory/some_file
pfctl_alias_file=/var/db/aliastables/$tbl_name.txt

# update the file used for the URL alias
cp $new_alias_file $www_alias_file

# update the file used for the pfctl rule
cp $www_alias_file $pfctl_alias_file

# force update of the alias
/sbin/pfctl -t $tbl_name -T replace -f $pfctl_alias_file 2>&1

    Now the more difficult option…

    You could also start hacking away at the rule edit screen and create a screen that does what you need... but it would take a little work. The two php files to look at are firewall_rules.php and firewall_rules_edit.php. Passing the correct "id" to firewall_rules_edit .php will bring up the rule for edit - you'd just need to find the rule first. The custom page can be added to pfsense by modifying fbegin.inc (all of these files are in /usr/local/www).

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy