Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense API?

    Scheduled Pinned Locked Moved General pfSense Questions
    13 Posts 8 Posters 18.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kenshirothefist
      last edited by

      Hi,

      Is there any API available in pfSense? I would like to insert rules in firewall from some external applications (that is, without human interaction). Running SSH commands is not an option.

      Something like this

      http://<pfsense_ip>/api.php?apikey=somekey&blockip=1.2.3.4&iface=WAN

      This would automatically add a rule to block all traffic on 1.2.3.4 at WAN interface.

      Anything like this available?</pfsense_ip>

      1 Reply Last reply Reply Quote 0
      • J
        jasonlitka
        last edited by

        No.

        I can break anything.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Not yet. There are ways to accomplish that end result, just not yet with an API.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            I know you don't want to use an ssh tunnel, but I use sftp to send a blocklist file from my mail server to pfSense which gets loaded into an alias blocklist for pfBlocker.

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • V
              verigoth
              last edited by

              @cmb:

              Not yet. There are ways to accomplish that end result, just not yet with an API.

              Whoa, this is a "feature" being planned?  Will it be something that can be disabled?  Preferably by default.  It's bad enough that the web gui is accessible to every network without a gateway.

              1 Reply Last reply Reply Quote 0
              • K
                kenshirothefist
                last edited by

                @BBcan17:

                I know you don't want to use an ssh tunnel, but I use sftp to send a blocklist file from my mail server to pfSense which gets loaded into an alias blocklist for pfBlocker.

                Hmm, since there is obviously no API, this option might be acceptable. Can you please let me know the details how you've implemented this? You send file to pfSense and then you run some cron job script to parse it and load it into alias? If yes, I would be very happy if you would share the script with me. Thanks!

                1 Reply Last reply Reply Quote 0
                • K
                  kenshirothefist
                  last edited by

                  @cmb:

                  There are ways to accomplish that end result, just not yet with an API.

                  Any other suggestion to accomplish that, besides the one that BBcan17 posted?

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    @verigoth:

                    It's bad enough that the web gui is accessible to every network without a gateway.

                    Only the LAN interface has access to the webgui by default and you can change that if you wish. All other interfaces require appropriate firewall rules to be added before webgui access is allowed.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • V
                      verigoth
                      last edited by

                      @stephenw10:

                      Only the LAN interface has access to the webgui by default and you can change that if you wish. All other interfaces require appropriate firewall rules to be added before webgui access is allowed.

                      Steve

                      That's half true. Then again so is what I said (the web gui listens on interfaces with gateways too). If you have a network that you want to deny access to the web gui but allow access to the internet you need an allow from network to NOT every IP pfSense has. Including OpenVPN tunnels. Say you have 3 interfaces: WAN (10.0.0.2/24), LAN (192.168.1.1/24), and OPT1 (172.16.1.1/24). If you want OPT1 to be able to get out to the internet (a necessity for a DMZ), but not access any of your local resources you'll need to explicitly block 10.0.0.2/32, 192.168.1.0/24, AND 172.16.1.1/32 as well as every other IP your firewall has. Then allow any/any. This could be alleviated with the option to bind the web gui (and ssh) to selected interface(s).

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Yep that's all true. I have been caught out myself by the fact the webgui listens on the WAN so is accessible on the WAN address from an internal network. Having the listening interfaces selectable is certainly an option, perhaps there's a good reason it's not available. Another option I would be in favour of would be to have a local_nets alias available for use by the user in firewall rules. I have user alias set up for that but of course it doesn't include the WAN address/subnet.

                        Steve

                        Edit: Typo

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          @kenshirothefist:

                          Hmm, since there is obviously no API, this option might be acceptable. Can you please let me know the details how you've implemented this? You send file to pfSense and then you run some cron job script to parse it and load it into alias? If yes, I would be very happy if you would share the script with me. Thanks!

                          Hi Kenshirothefist,

                          pfBlocker can utilize internet based blocklists or local txt file blocklists. So if you create a new blocklist in pfBlocker, enter the path to the local pfSense txt file location and assign the blocklist as an "ALIAS". Add rules on the interfaces that will block/reject based upon the contents of the text file. The file needs to be formated with a single ip address per line (With or without a CIDR), or an IP Range.

                          Add a new user and give it "User - System - Copy files" access only.
                          " Indicates whether the user is allowed to copy files onto the pfSense" appliance via SCP/SFTP. If you are going to use this privilege, you must install scponly on the appliance (Hint: pkg_add -r scponly). "

                          Then create a cron job on the server where the blocklist gets maintained and send those file(s) with SCP/SFTP at your desired frequency. pfBlocker is limited to a 1 hour update frequency (4,12,24hr), so on my mail server I use iptables to block addresses for one hour and than by that time, pfBlocker is updated with the new alias text file.

                          I had issues with using SCP so I ended up using SFTP. The files end up in the /home/user folder (So that is where you can map pfBlocker to)

                          Still unresolved.
                          https://forum.pfsense.org/index.php?topic=73150.msg404386#msg404386

                          If you need any further details, please let me know.

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • H
                            Harvy66
                            last edited by

                            Just an FYI, commands via the URL are a very common method for malware to take advantage. At least in my security classes, they said to never do this and gave a huge list of ways to abuse. The first thing that comes to mind is URLs get saved in your history, which means an easy way to leak secret information.

                            1 Reply Last reply Reply Quote 0
                            • N
                              NOYB
                              last edited by

                              @kenshirothefist:

                              Any other suggestion to accomplish that, besides the one that BBcan17 posted?

                              Could create some phantomjs scripts to automate the process through the pfSense GUI.

                              Not as elegant as an API, but it would work.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.