Re: [pfSense-discussion] API?
Hi, On Sat, Nov 13, 2010 at 3:01 AM, Nathan Eisenberg wrote: > I have a customer who wants to be able to automate IP blackholing on their > PFSense firewall from their custom IDS. In essence, the application wants to > go something like > > 'I'm being abused by this IP 198.51.100.20' > 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment=' > 'POST HTTPS://GATEWAY/pfapi.php?action=apply' > > There was a post about this some time ago, and the answer at the time was > 'there's no such functionality'. Is there anything new on this front? > > Nathan Eisenberg I don't have a pfSense box right now, but you can do something like: ssh r...@192.51.100.20 /my/script.php blocklist 198.51.100.20 comment ssh r...@192.51.100.20 rm -f /tmp/config.cache ; /etc/rc.reload_something2x Where /my/script.php is a script that modifies /conf/config.xml. Hacking that script would only take a minute. You can modify /tmp/rules.debug too, but the rules would be removed on next reload. :) Anyway, you can try this sed trick if you don't want to use PHP: sed 's/$/insert here<\/entry>/g' /conf/config.xml > /conf/config.xml.new (pls refer to the config.xml for the correct XML... :) Regards, [ simon.cpu ] - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] API?
On 14/12/10 5:58 PM, Nathan Eisenberg wrote: Hi Ari, Sadly, that doesn't quite apply here. My customer has an IDS that can perform an API call when there are multiple failed-logons in a short period. What I want is for their Windows boxen to make their pfsense firewall block abusers by appending abusive IPs to an alias list, reloading the filter, and killing related connections in the state table. My point is just that the mechanism is very similar. Fail2ban tails some log and then injects deny rules into the firewall. Those people who are actually running fail2ban on their servers could write a special action.d file to use the API you are suggesting and cause it to ban people trying to hack an ftp server just as well as from your special application. The problem with this approach is always that you leave yourself open to a DoS. Send some spoofed packets 'from' your best customer. Ari -- --> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense-discussion] API?
> Search this list and forums for previous discussions about fail2ban. > This is exactly the tool you are thinking of and there was some > discussion about why it would or would not work with pfSense. I agree > it would be useful, especially if it worked in a HA setup. > > Ari Hi Ari, Sadly, that doesn't quite apply here. My customer has an IDS that can perform an API call when there are multiple failed-logons in a short period. What I want is for their Windows boxen to make their pfsense firewall block abusers by appending abusive IPs to an alias list, reloading the filter, and killing related connections in the state table. - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] API?
On 13/11/10 6:01 AM, Nathan Eisenberg wrote: I have a customer who wants to be able to automate IP blackholing on their PFSense firewall from their custom IDS. In essence, the application wants to go something like 'I'm being abused by this IP 198.51.100.20' 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment=' 'POST HTTPS://GATEWAY/pfapi.php?action=apply' There was a post about this some time ago, and the answer at the time was 'there's no such functionality'. Is there anything new on this front? Nathan Eisenberg Search this list and forums for previous discussions about fail2ban. This is exactly the tool you are thinking of and there was some discussion about why it would or would not work with pfSense. I agree it would be useful, especially if it worked in a HA setup. Ari -- --> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense-discussion] API?
On 11/12/2010 2:01 PM, Nathan Eisenberg wrote: > I have a customer who wants to be able to automate IP blackholing on their > PFSense firewall from their custom IDS. In essence, the application wants to > go something like > > 'I'm being abused by this IP 198.51.100.20' > 'POST HTTPS://GATEWAY/pfapi.php?alias=blocklist&ip=198.51.100.20&comment=' > 'POST HTTPS://GATEWAY/pfapi.php?action=apply' > > There was a post about this some time ago, and the answer at the time was > 'there's no such functionality'. Is there anything new on this front? There isn't anything in the XMLRPC API we have for that yet. I would suggest you could do this via easyrule.php in 2.0, but I think the recent http_referer and/or csrf checks may mean that will no longer work if done remotely. Jim - To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org