Re: [pfSense-discussion] API?

2010-12-14 Thread Simon Cornelius P Umacob
Hi,

On Sat, Nov 13, 2010 at 3:01 AM, Nathan Eisenberg
 wrote:
> I have a customer who wants to be able to automate IP blackholing on their 
> PFSense firewall from their custom IDS.  In essence, the application wants to 
> go something like
>
> 'I'm being abused by this IP 198.51.100.20'
> 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment='
> 'POST HTTPS://GATEWAY/pfapi.php?action=apply'
>
> There was a post about this some time ago, and the answer at the time was 
> 'there's no such functionality'.  Is there anything new on this front?
>
> Nathan Eisenberg

I don't have a pfSense box right now, but you can do something like:

ssh r...@192.51.100.20 /my/script.php blocklist 198.51.100.20 comment
ssh r...@192.51.100.20 rm -f /tmp/config.cache ; /etc/rc.reload_something2x

Where /my/script.php is a script that modifies /conf/config.xml.
Hacking that script would only take a minute.  You can modify
/tmp/rules.debug too, but the rules would be removed on next reload.
:)

Anyway, you can try this sed trick if you don't want to use PHP:

sed 's/$/insert here<\/entry>/g'
/conf/config.xml > /conf/config.xml.new

(pls refer to the config.xml for the correct XML... :)

Regards,

[ simon.cpu ]

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] API?

2010-12-13 Thread Aristedes Maniatis

On 14/12/10 5:58 PM, Nathan Eisenberg wrote:

Hi Ari,

Sadly, that doesn't quite apply here.  My customer has an IDS that can perform 
an API call when there are multiple failed-logons in a short period.  What I 
want is for their Windows boxen to make their pfsense firewall block abusers by 
appending abusive IPs to an alias list, reloading the filter, and killing 
related connections in the state table.


My point is just that the mechanism is very similar. Fail2ban tails some log 
and then injects deny rules into the firewall. Those people who are actually 
running fail2ban on their servers could write a special action.d file to use 
the API you are suggesting and cause it to ban people trying to hack an ftp 
server just as well as from your special application.

The problem with this approach is always that you leave yourself open to a DoS. 
Send some spoofed packets 'from' your best customer.

Ari

--
-->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



RE: [pfSense-discussion] API?

2010-12-13 Thread Nathan Eisenberg
> Search this list and forums for previous discussions about fail2ban.
> This is exactly the tool you are thinking of and there was some
> discussion about why it would or would not work with pfSense. I agree
> it would be useful, especially if it worked in a HA setup.
> 
> Ari
 
Hi Ari,

Sadly, that doesn't quite apply here.  My customer has an IDS that can perform 
an API call when there are multiple failed-logons in a short period.  What I 
want is for their Windows boxen to make their pfsense firewall block abusers by 
appending abusive IPs to an alias list, reloading the filter, and killing 
related connections in the state table.


-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] API?

2010-12-13 Thread Aristedes Maniatis

On 13/11/10 6:01 AM, Nathan Eisenberg wrote:

I have a customer who wants to be able to automate IP blackholing on their 
PFSense firewall from their custom IDS.  In essence, the application wants to 
go something like

'I'm being abused by this IP 198.51.100.20'
'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment='
'POST HTTPS://GATEWAY/pfapi.php?action=apply'

There was a post about this some time ago, and the answer at the time was 
'there's no such functionality'.  Is there anything new on this front?

Nathan Eisenberg


Search this list and forums for previous discussions about fail2ban. This is 
exactly the tool you are thinking of and there was some discussion about why it 
would or would not work with pfSense. I agree it would be useful, especially if 
it worked in a HA setup.

Ari



--
-->
Aristedes Maniatis
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001   fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C  5EFA EF6A 7D2E 3E49 102A

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org



Re: [pfSense-discussion] API?

2010-11-12 Thread Jim Pingle
On 11/12/2010 2:01 PM, Nathan Eisenberg wrote:
> I have a customer who wants to be able to automate IP blackholing on their 
> PFSense firewall from their custom IDS.  In essence, the application wants to 
> go something like 
> 
> 'I'm being abused by this IP 198.51.100.20'
> 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment='
> 'POST HTTPS://GATEWAY/pfapi.php?action=apply'
> 
> There was a post about this some time ago, and the answer at the time was 
> 'there's no such functionality'.  Is there anything new on this front?

There isn't anything in the XMLRPC API we have for that yet.

I would suggest you could do this via easyrule.php in 2.0, but I think
the recent http_referer and/or csrf checks may mean that will no longer
work if done remotely.

Jim

-
To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com
For additional commands, e-mail: discussion-h...@pfsense.com

Commercial support available - https://portal.pfsense.org