Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Changing firewall rules on the fly

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      magnobeam
      last edited by

      I have several openvpn clients on m pfsense box that have endpoints at various places around the world, m ainly to get around geoblocking. There are several other people in the household that use this feature as well.

      The current method to change the gateway is simply go into the relevant firewall rule and change the gateway. This is too complex for some people to do!

      At this stage what I would like is to be able to change this running a script that takes some arguments. (IP, endpoint, etc) and hopefully create a page on the pfsense box to make it even easier.

      My current rule that I want to change is this:

      pass in quick on dc0 route-to (ovpnc3 10.195.1.5) inet from 10.0.0.101 to any flags S/SA keep state

      where 10.0.0.101 is my windows system and change it to ovpnc2.

      How would I go about this in CLI? Are there better options?

      1 Reply Last reply Reply Quote 0
      • R
        rjcrowder
        last edited by

        Can you make the value you want to change an alias? If so, it's fairly easy to change… You can change the value of a URL alias by doing three things.
        1.) Change the file the URL points to
        2.) Change the file that is used to load the pfctl rules
        3.) Reload the pfctl rule

        You need to do both 1 and 2 because pfSense occasionally does the update via a cron job (/usr/bin/nice -n20 /etc/rc.update_urltables). If you don't do both, it will overwrite your change.

        The following shell code will do it.

        
tbl_name=your_alias_name
new_alias_file=/some_directory/some_file
www_alias_file=/usr/local/www/some_directory/some_file
pfctl_alias_file=/var/db/aliastables/$tbl_name.txt

# update the file used for the URL alias
cp $new_alias_file $www_alias_file

# update the file used for the pfctl rule
cp $www_alias_file $pfctl_alias_file

# force update of the alias
/sbin/pfctl -t $tbl_name -T replace -f $pfctl_alias_file 2>&1

        Now the more difficult option…

        You could also start hacking away at the rule edit screen and create a screen that does what you need... but it would take a little work. The two php files to look at are firewall_rules.php and firewall_rules_edit.php. Passing the correct "id" to firewall_rules_edit .php will bring up the rule for edit - you'd just need to find the rule first. The custom page can be added to pfsense by modifying fbegin.inc (all of these files are in /usr/local/www).

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.