Jason I am interested in this as well. I want to be able to send dban entries from servers to the firewall. This would stop hackers from jumping server to server. The api would need to allow for the entry of IP's to either a firewall rule or alias used by a firewall rule then reload the rule table and kill any open states for that public address only. A script in the system that could be hit via SSH would be good. Some kind of log entries somewhere would be good as well to allow for trouble shooting.
Bryant ---------------------------------------- From: "Jason Pyeron" <[email protected]> Sent: Saturday, March 30, 2013 8:36 AM To: "pfSense support and discussion" <[email protected]> Subject: Re: [pfSense] Automated updates to firewall rules > -----Original Message----- > From: Chris Buechler > Sent: Saturday, March 30, 2013 0:48 > > On Fri, Mar 29, 2013 at 3:39 PM, Jason Pyeron > <[email protected]> wrote: > > > > That would be verry disruptive, it says: "Resetting the > state tables > > will remove all entries from the corresponding tables. This > means that > > all open connections will be broken and will have to be > > re-established." We have thousands of active connections > for services that should not be interrupted. > > > > I definitely wouldn't flush the entire state table. You can > just kill off states to/from the IP in question. > > > > Sorry, I should have been more clear. I am looking for a > way to, in a > > single execution, reproduce the steps below. > > > > Ex: ssh root@firewall '/usr/local/bin/add_ip_to_block_list DOS_DDOS > > x.y.z.q' or > > > https://firewall/add_ip_to_block_list.php?alias=DOS_DDOS&address=x.y.z > > .q > > > > I think, after reading > > http://www.linuxnet.ch/pfsense-important-cli-commands/, I > am going to have to do this by making a custom php script. > > > > This is probably your best bet today, it wouldn't take a lot > to put that together to meet your requirement. We'll > hopefully have an API at some point in the future, but none > exists today. Are there any roadmaps towards an API? And are there patch submission guidelines? I would like to minimize waste on this. -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
