[pfSense] pfctl question

Hans Maes Hans at bitnet.be
Thu Sep 22 09:28:47 EDT 2011 

Hello,

I'm happily using pfsense 1.2.3 as an OpenVPN server in production for 
more than a year now.
I'm now playing with some custom openvpn connect/disconnect scripts to 
be able to automatically add/remove dynamic firewall rules on 
connect/disconnect of openvpn clients.
The scripts are being called by openvpn, so all of that works, but I'm 
having a problem with the way I should call pfctl.

I've been using pfsense for years now and I know my way around networks 
and firewalls, but I'm not really familiar with pf and pfctl.
I'm trying to add rules by writing them in a temporary text file and 
passing them to pfctl using the -f flag.
However, when I do this the entire ruleset gets replaced by my custom 
rules, in stead of adding my custom rules to the bottom of the ruleset.

After reading pfctl manuals online, I tried using anchors to load my 
rules in a subruleset. However, they were not getting parsed. Seems you 
need to add an anchor to the default ruleset telling it to parse the sub 
ruleset. But that brings me back to my first problem.

I noticed there is an anchor in the pfsense default ruleset called 
"pftpx/*" which I could use as a test since from what I understand it 
would load all anchors nested under the pftpx anchor.
So I added my custom rules to the pftpx anchor with pfctl -a "pftpx" -f 
/tmp/temprulefile
This works, but of course as soon as a try to add a second rule to the 
anchor, it wipes out the first rule again (just like in the default ruleset)

Could anybody explain me how I can add rules to pf's ruleset (or 
anchors) without wiping all existing rules ?
I'm looking for the behaviour of for example iptables where you can add 
rules on the fly and it will only flush the existing rules when 
specifically asked for.


(I know these rules won't survive a reboot but this is not a problem 
since the openvpn clients will disconnect/reconnect on a reboot anyway, 
after which the script will trigger again and add the rules again)

Thanks for any help anyone can offer.

Regards,

Hans

More information about the List mailing list