Changing firewall rules on the fly



  • I have several openvpn clients on m pfsense box that have endpoints at various places around the world, m ainly to get around geoblocking. There are several other people in the household that use this feature as well.

    The current method to change the gateway is simply go into the relevant firewall rule and change the gateway. This is too complex for some people to do!

    At this stage what I would like is to be able to change this running a script that takes some arguments. (IP, endpoint, etc) and hopefully create a page on the pfsense box to make it even easier.

    My current rule that I want to change is this:

    pass in quick on dc0 route-to (ovpnc3 10.195.1.5) inet from 10.0.0.101 to any flags S/SA keep state

    where 10.0.0.101 is my windows system and change it to ovpnc2.

    How would I go about this in CLI? Are there better options?



  • Can you make the value you want to change an alias? If so, it's fairly easy to change… You can change the value of a URL alias by doing three things.
    1.) Change the file the URL points to
    2.) Change the file that is used to load the pfctl rules
    3.) Reload the pfctl rule

    You need to do both 1 and 2 because pfSense occasionally does the update via a cron job (/usr/bin/nice -n20 /etc/rc.update_urltables). If you don't do both, it will overwrite your change.

    The following shell code will do it.

    
    tbl_name=your_alias_name
    new_alias_file=/some_directory/some_file
    www_alias_file=/usr/local/www/some_directory/some_file
    pfctl_alias_file=/var/db/aliastables/$tbl_name.txt
    
    # update the file used for the URL alias
    cp $new_alias_file $www_alias_file
    
    # update the file used for the pfctl rule
    cp $www_alias_file $pfctl_alias_file
    
    # force update of the alias
    /sbin/pfctl -t $tbl_name -T replace -f $pfctl_alias_file 2>&1
    
    

    Now the more difficult option…

    You could also start hacking away at the rule edit screen and create a screen that does what you need... but it would take a little work. The two php files to look at are firewall_rules.php and firewall_rules_edit.php. Passing the correct "id" to firewall_rules_edit .php will bring up the rule for edit - you'd just need to find the rule first. The custom page can be added to pfsense by modifying fbegin.inc (all of these files are in /usr/local/www).