Hello,
I'm happily using pfsense 1.2.3 as an OpenVPN server in production for
more than a year now.
I'm now playing with some custom openvpn connect/disconnect scripts to
be able to automatically add/remove dynamic firewall rules on
connect/disconnect of openvpn clients.
The scripts are being called by openvpn, so all of that works, but I'm
having a problem with the way I should call pfctl.
I've been using pfsense for years now and I know my way around networks
and firewalls, but I'm not really familiar with pf and pfctl.
I'm trying to add rules by writing them in a temporary text file and
passing them to pfctl using the -f flag.
However, when I do this the entire ruleset gets replaced by my custom
rules, in stead of adding my custom rules to the bottom of the ruleset.
After reading pfctl manuals online, I tried using anchors to load my
rules in a subruleset. However, they were not getting parsed. Seems you
need to add an anchor to the default ruleset telling it to parse the sub
ruleset. But that brings me back to my first problem.
I noticed there is an anchor in the pfsense default ruleset called
"pftpx/*" which I could use as a test since from what I understand it
would load all anchors nested under the pftpx anchor.
So I added my custom rules to the pftpx anchor with pfctl -a "pftpx" -f
/tmp/temprulefile
This works, but of course as soon as a try to add a second rule to the
anchor, it wipes out the first rule again (just like in the default ruleset)
Could anybody explain me how I can add rules to pf's ruleset (or
anchors) without wiping all existing rules ?
I'm looking for the behaviour of for example iptables where you can add
rules on the fly and it will only flush the existing rules when
specifically asked for.
(I know these rules won't survive a reboot but this is not a problem
since the openvpn clients will disconnect/reconnect on a reboot anyway,
after which the script will trigger again and add the rules again)
Thanks for any help anyone can offer.
Regards,
Hans
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
