PfSense API?



  • Hi,

    Is there any API available in pfSense? I would like to insert rules in firewall from some external applications (that is, without human interaction). Running SSH commands is not an option.

    Something like this

    http://<pfsense_ip>/api.php?apikey=somekey&blockip=1.2.3.4&iface=WAN

    This would automatically add a rule to block all traffic on 1.2.3.4 at WAN interface.

    Anything like this available?</pfsense_ip>



  • No.



  • Not yet. There are ways to accomplish that end result, just not yet with an API.


  • Moderator

    I know you don't want to use an ssh tunnel, but I use sftp to send a blocklist file from my mail server to pfSense which gets loaded into an alias blocklist for pfBlocker.



  • @cmb:

    Not yet. There are ways to accomplish that end result, just not yet with an API.

    Whoa, this is a "feature" being planned?  Will it be something that can be disabled?  Preferably by default.  It's bad enough that the web gui is accessible to every network without a gateway.



  • @BBcan17:

    I know you don't want to use an ssh tunnel, but I use sftp to send a blocklist file from my mail server to pfSense which gets loaded into an alias blocklist for pfBlocker.

    Hmm, since there is obviously no API, this option might be acceptable. Can you please let me know the details how you've implemented this? You send file to pfSense and then you run some cron job script to parse it and load it into alias? If yes, I would be very happy if you would share the script with me. Thanks!



  • @cmb:

    There are ways to accomplish that end result, just not yet with an API.

    Any other suggestion to accomplish that, besides the one that BBcan17 posted?


  • Netgate Administrator

    @verigoth:

    It's bad enough that the web gui is accessible to every network without a gateway.

    Only the LAN interface has access to the webgui by default and you can change that if you wish. All other interfaces require appropriate firewall rules to be added before webgui access is allowed.

    Steve



  • @stephenw10:

    Only the LAN interface has access to the webgui by default and you can change that if you wish. All other interfaces require appropriate firewall rules to be added before webgui access is allowed.

    Steve

    That's half true. Then again so is what I said (the web gui listens on interfaces with gateways too). If you have a network that you want to deny access to the web gui but allow access to the internet you need an allow from network to NOT every IP pfSense has. Including OpenVPN tunnels. Say you have 3 interfaces: WAN (10.0.0.2/24), LAN (192.168.1.1/24), and OPT1 (172.16.1.1/24). If you want OPT1 to be able to get out to the internet (a necessity for a DMZ), but not access any of your local resources you'll need to explicitly block 10.0.0.2/32, 192.168.1.0/24, AND 172.16.1.1/32 as well as every other IP your firewall has. Then allow any/any. This could be alleviated with the option to bind the web gui (and ssh) to selected interface(s).


  • Netgate Administrator

    Yep that's all true. I have been caught out myself by the fact the webgui listens on the WAN so is accessible on the WAN address from an internal network. Having the listening interfaces selectable is certainly an option, perhaps there's a good reason it's not available. Another option I would be in favour of would be to have a local_nets alias available for use by the user in firewall rules. I have user alias set up for that but of course it doesn't include the WAN address/subnet.

    Steve

    Edit: Typo


  • Moderator

    @kenshirothefist:

    Hmm, since there is obviously no API, this option might be acceptable. Can you please let me know the details how you've implemented this? You send file to pfSense and then you run some cron job script to parse it and load it into alias? If yes, I would be very happy if you would share the script with me. Thanks!

    Hi Kenshirothefist,

    pfBlocker can utilize internet based blocklists or local txt file blocklists. So if you create a new blocklist in pfBlocker, enter the path to the local pfSense txt file location and assign the blocklist as an "ALIAS". Add rules on the interfaces that will block/reject based upon the contents of the text file. The file needs to be formated with a single ip address per line (With or without a CIDR), or an IP Range.

    Add a new user and give it "User - System - Copy files" access only.
    " Indicates whether the user is allowed to copy files onto the pfSense" appliance via SCP/SFTP. If you are going to use this privilege, you must install scponly on the appliance (Hint: pkg_add -r scponly). "

    Then create a cron job on the server where the blocklist gets maintained and send those file(s) with SCP/SFTP at your desired frequency. pfBlocker is limited to a 1 hour update frequency (4,12,24hr), so on my mail server I use iptables to block addresses for one hour and than by that time, pfBlocker is updated with the new alias text file.

    I had issues with using SCP so I ended up using SFTP. The files end up in the /home/user folder (So that is where you can map pfBlocker to)

    Still unresolved.
    https://forum.pfsense.org/index.php?topic=73150.msg404386#msg404386

    If you need any further details, please let me know.



  • Just an FYI, commands via the URL are a very common method for malware to take advantage. At least in my security classes, they said to never do this and gave a huge list of ways to abuse. The first thing that comes to mind is URLs get saved in your history, which means an easy way to leak secret information.



  • @kenshirothefist:

    Any other suggestion to accomplish that, besides the one that BBcan17 posted?

    Could create some phantomjs scripts to automate the process through the pfSense GUI.

    Not as elegant as an API, but it would work.