Category Archives: pfsense

firewall, pfsense, sysadmin

Useful pfSense commands – OneByte | tech blog

Here are some commands that I’ve compiled over my time working with pfSense. My pfSense cheat sheet!

Description Command
Reload the Firewall with all the configuration. This also restarts the webgui and sshd – but keeps the current ssh sessions active just as a regular sshd restart. /etc/rc.reload_all
Manually edit the configuration in /conf/config.xml. Once file has been saved and editor exited, the /tmp/config.cache is removed so the next config reload event will load config.xml, not the cached version. You could run the next command to trigger an instant reload. viconfig                                                                                                 
 
Show rule/filter information pfctl -s rules
Show rule/filter info for what FILTER rules hit pfctl -v -s rules
Show rule/filter info, includes rule counters, ID numbers, etc. pfctl -vvsr
Shows the current state table pfctl -ss
Shows current filter rules pfctl -sr
Show as much as possible. pfctl -sa
Shows current NAT rules pfctl -sn
Show NAT information for which rules hit pfctl -v -s nat
Show NAT information for interface GE1 pfctl -s nat -i ge1
Show QUEUE information pfctl -s queue
Show LABEL information pfctl -s label
Show contents of the STATE table pfctl -s state
Show statistics for state tables and packet normalization pfctl -s info
Show everything pfctl -s all
Enable the packet filter – enables all firewall functions pfctl -e
Disable the packet filter – disables all firewall functions pfctl -d
Run qiuet pfctl -q
flush ALL pfctl -F all
flush only the RULES pfctl -F rules
flush only queues pfctl -f queue
flush only NAT pfctl -F nat
pfctl -F info flush all stats that are not part of any rule
pfctl -z clear all counters
Playback Scripts
Changes password for the defined user. Prompts to reset the account properties if it is disabled or expired pfSsh.php playback changepassword
Enable/Disable CARP high availability functions. Will deactivate the CARP virtual IP addresses. Does not persist across reboots. pfSsh.php playback disablecard


pfSsh.php playback enablecarp
Enable/Disable CARP maintenance mode. This leaves CARP active but demotes the unit so that another can assume control. Maintenance mode will persist across reboots. pfSsh.php playback disablecarpmaint

pfSsh.php playback enablecarpmaint
Removes all DHCP configuration from the firewall causing DHCP to be disabled. It completely removes all of its settings. pfSsh.php playback disabledhcp
Disables the HTTP_REFERER check in Browser HTTP_REFERER enforcement. This can aid in gaining access to the GUI if the browser session is triggering this protection. pfSsh.php playback disablereferercheck
Adds an allow all rule for IPv4 and IPv6 to the WAN interface

Be extremely careful with this option, it is meant to be a temporary measure to gain access to services on the WAN interface of the firewall in situations where the LAN is not usable. Once proper access rules are put in place, remove the rules added by this script.

 pfSsh.php playback enableallowallwan
Enables the SSH daemon – same as the menu option or in the GUI pfSsh.php playback enablesshd
This script looks for a config.xml file on the external device, such as a USB drive. Then move it in place for use by the firewall. pfSsh.php playback externalconfiglocator
Prints the current gateway status and statistics. This also accepts an optional parameter brief, which prints only the gateway name and status, omitting the addresses and statistical data. pfSsh.php playback gatewaystatus
Creates a new self-signed certificate for the firewall and activates for use in the GUI. This can be useful in cases where the previous certificate is invalid or unusable. It also fills in the certificate details using the firewall hostname and other custom information for better identifying your host. pfSsh.php playback generateguicert
A complex script that synchronizes the PHP and other script sources with the files from the pfSense GitHub repository. This is most useful on development snapshots to pick up changes from more recent commits.

This script can be dangerous to use in other circumstances. Only use this under the direction of a knowledgeable developer or support representative.

 pfSsh.php playback gitsync
  pfSsh.php playback install pkg

pfSsh.php playback listpkg

pfSsh.php playback uninstallpkg
View additional rules in anchors from packages or features, such as UPnP. pfSsh.php playback pfanchordrill
Prints the contents of all pf tables, which contain addresses used in firewall aliases, as well as built-in system tables for features such as bogon network blocking, snort, and GUI/SSH lockout. This is also useful for checking if a specific IP address is found in any table, rather than searching individually. pfSsh.php playback pftabledrill
Removes all traces of package configuration data from the running config.xml. This can be useful if a package has corrupted settings or has otherwise left the packages in an inconsistent state. pfSsh.php playback removepkgconfig
Removes ALTQ traffic shaper settings, which can be useful if the shaper configuration is preventing rules from loading or is otherwise incorrect and preventing proper operations of the firewall. pfSsh.php playback removeshaper
Resets the GUI settings for widgets, dashboard columns, the theme, and other GUI-related settings. It can return the GUI, particularly the dashboard, to a stable state if it is not functioning properly. pfSsh.php playback resetwebgui
Disables and re-enables each WAN-type interface, which reapplies the interface configuration pfSsh.php playback restartallwan
Stops and restarts the DHCP daemon pfSsh.php playback restartdhcpd
Rewrites and reloads the IPsec configuration for strongSwan pfSsh.php playback restartipsec
Controls the services running on the firewall, similar to interacting with services at Status > Services

The action can be stopstart, or restart.

The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes.

The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries.

 pfSsh.php playback svc

playback svc <action> <service name> [service-specific options]
   
The shell version of Easy Rule, easyrule, can add a firewall rule from a shell prompt. When the easyrule command is run without parameters, it prints a usage message to explain its syntax.

The way easyrule adds a block rule using an alias, or a precise pass rule specifying the protocol, source, and destination, work similar to the GUI version.

 

 easyrule pass/block <interface> <protocol> <source IP> <destination ip> [destination port]

easyrule pass wan tcp 0.0.0.0/0 192.168.0.1 80

easyrule pass wan icmp 1.1.1.1 192.168.0.1

easyrule block wan 1.1.1.1
show table addvhosts pfctl -t addvhosts -T show
view global information about all tables pfctl -vvsTables
add entry to table addvhosts pfctl -t addvhosts -T add 192.168.1.50
add a network to table addvhosts pfctl -t addvhosts -T add 192.168.1.0/16
delete nework from table addvhosts pfctl -t addvhosts -T delete 192.168.1.0/16
remove all entries from table addvhosts pfctl -t addvhosts -T flush
delete table addvhosts entirely pfctl -t addvhosts -T kill
reload table addvhosts on the fly pfctl -t addvhosts -T replace -f /etc/addvhosts
find ip address 192.168.1.40 in table addvhosts pfctl -t addvhosts -T test 192.168.1.40
load a new table definition pfctl -T load -f /etc/pf.conf
stats for each ip address in table addvhosts pfctl -t addvhosts -T show -v output
reset all counters for table addvhosts pfctl -t addvhosts -T zero
Manual restart of openVPN process echo “<?php include(‘openvpn.inc’); openvpn_resync_all();?>” | php -q

 

Source: Useful pfSense commands – OneByte | tech blog

Computer, firewall, pfsense, Security, sysadmin

Suricata inline versus legacy IPS mode | Netgate Forum

 I will just add a little more detail to the explanation to highlight the differences between inline IPS mode and the legacy IDS/IPS hybrid mode.

In legacy mode, the pcap library is used to make a copy (clone if you will) of every packet as it comes in from the NIC on its way to the pf firewall engine.  The original packet continues on to the pf firewall engine and is either passed or blocked depending on the current rules in the firewall.  Meanwhile, the cloned packet is sent over to Suricata (or Snort if using that package) for inspection against the IDS/IPS rules.  Should the cloned packet (or packets, since sometimes Suricata needs to see a group of packets before a decision can be made) be judged as “bad” by the Suricata engine, then a system call is made to insert the offending IP address from the packet into a special table in the pf firewall engine called snort2c.  IP addresses in this special table are blocked.  However, note that this decision making and subsequent insertion of the IP address into the snort2c table has happened well after the original packet (or packets if a group of packets was required to make a decision) has traversed the pf engine.  So that original packet will have already gotten past the IPS mechanism.  Packets that subsequently come through from the same IP address will now get blocked, though.  Hence I use the term “hybrid IDS/IPS” because a true IPS would never leak a packet.  A true IPS would hold up the original packet while it was being inspected, and then either pass it or drop it.  Legacy mode does not hold up the original packet.  It is allowed to continue on to the firewall while the cloned copy is used to make the decision for blocking future packets from the IP address.

With the new inline IPS mode, Suricata activates and uses the relatively new Netmap mechanism that was added to FreeBSD.  Netmap is a way for applications to create a highspeed pipe between the NIC driver layer and the rest of the system.  So packets coming and going on a given network interface must pass through the Netmap pipe.  Suricata inline-mode controls the “door” in this pipe.  Each packet stream coming from the NIC (or going to the NIC) is inspected by Suricata and a “pass” or “drop” decision is made.  If a packet is dropped, it is never forwarded on to the pfSense kernel and thus never makes it to the pf engine.  Since every single packet must traverse this Netmap pipe, there is no leakage.  No copies of the packets are made for examination.  Everything occurs with the original packet.

The downside of the new inline mode is that for now only some NIC drivers support working with the Netmap API mechanism.  So while legacy mode is pretty much NIC card and driver agnostic (meaning it works with any hardware), the inline mode is highly dependent on your firewall having a NIC driver that supports Netmap.  Another problem that currently exists is the Netmap pipe seems to break traffic shaping on the interface.  I suspect this is a fixable problem, but no solution is in place yet.

So consider these two issues before choosing to use the inline IPS mode:  (1) do I have a supported NIC and driver; and (2) can I do without traffic shaping on interfaces where I run Suricata?

Source: Suricata inline versus legacy IPS mode | Netgate Forum

Note:

Important Information About IPS Inline Mode Blocking

When using Inline IPS Mode blocking, you must manually change the rule action from ALERT to DROP for every rule which you wish to block traffic when triggered.

The default action for rules is ALERT. This will produce alerts but will not block traffic when using Inline IPS Mode for blocking.

Use the “dropsid.conf” feature on the SID MGMT tab to select rules whose action should be changed from ALERT to DROP. If you run the Snort rules and have an IPS policy selected on the CATEGORIES tab, then rules defined as DROP by the selected IPS policy will have their action automatically changed to DROP when the “IPS Policy Mode” selector is configured for “Policy”.

pfsense, sysadmin

Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

This walkthrough uses the DNSBL portion of pfBlockerNG to remove ads/advertising and more importantly, malvertising. It essentially creates a functionality similar to the pi-Hole project except it doesn’t require a separate piece of hardware. Instead, you just use your pfSense + pfBlockerNG! If you’re interested in a write-up on installing/configuring the pi-hole on Ubuntu, I have one here. Please note this walkthrough is for the devel version of pfBlockerNG. The pfBlockerNG-devel package is in the standard list of available packages…

Source: Block Ads & Malvertising on pfSense Using pfBlockerNG (DNSBL)

firewall, pfsense, sysadmin

USEFUL PFSENSE COMMANDS

Description Command
Reload the Firewall with all the configuration. This also restarts the webgui and sshd – but keeps the current ssh sessions active just as a regular sshd restart. /etc/rc.reload_all
Manually edit the configuration in /conf/config.xml. Once file has been saved and editor exited, the /tmp/config.cache is removed so the next config reload event will load config.xml, not the cached version. You could run the next command to trigger an instant reload. viconfig                                                                                                 
Shows the current state table pfctl -ss
Shows current filter rules pfctl -sr
Show as much as possible. pfctl -sa
Shows current NAT rules pfctl -sn
Activate the pf packet filter – enables all fw functions pfctl -e
Deactivate the pf packet filter – disables all fw functions pfctl -d

PFSense: How to add firewall rule at the command line?

There is a command line available in PFSense firewall to allow you to add firewall rules. In the event of  locked out from firewall due to miss configuration of firewall rules, you may use command line “easyrule” to add firewall rules to let you get in to firewall again.

Below are the syntax and example of easyrule command:-

Syntax EasyRule function

easyrule pass/block <interface> <protocol> <source IP> <destination ip> [destination port]

Example:

easyrule pass wan tcp 0.0.0.0/0 192.168.0.1 80
easyrule pass wan icmp 1.1.1.1 192.168.0.1
easyrule block wan 1.1.1.1