TCL/Perl scipting for PF

unx_united_1980 · September 24, 2008, 7:42am

Hi All,

I have a PF Firewall running on Freebsd v6.x Now I would like to change and review the config in my rc.conf file via a browser . So my approach here would be:

make a script , which changes for instance the default route
have this script built-in a Webpage and have a form field where i can give in the IP address as default gateway and have the script started via a submit button

Now my question is:

does anyone has a script for me which would accomplish that task?
which scripting language shall I sue, TCL or Perl for also having this one embedded into my Webpage?

thx for your feedback

sysgate · September 24, 2008, 9:24am

I would use perl / cgi to accomplish. If I got it correctly, you want to update rc.conf file via webpage, where you have fields to update certain values. But I think some changes in rc.conf would require reboot of the machine, or I'm wrong ?

unx_united_1980 · September 25, 2008, 4:45am

well, i wouldn't be rebooting the system after changing some values, for others indeed. do you happen to have an example for that scripting?

era · September 25, 2008, 5:08am

You can use any language you want for CGI, Perl is certainly more mainstream for this sort of thing but whatever works for you.

unx_united_1980 · September 25, 2008, 7:07am

tx, I will try it and keep you folks posted,

if in the meantime anyone has a script which could be used as an example, i'd appreciate that

bye

sysgate · September 25, 2008, 8:29am

Well, it depends on the architecture of the script, can you post sample input / file and desired output. Also, some security considerations - do you really want web page that someone can access and change your default route ?

unx_united_1980 · September 25, 2008, 9:15am

When I am booting system my rc.conf look as following

ifconfig_rl0="192.168.2.1"
ifconfig_rl1="192.168.1.1"

gateway_enable="YES"
#natd_enable="YES"
#natd_interface="rl1"
#natd_flags="-f /etc/natd.conf"
#firewall_enable="YES"
#firewall_type="OPEN"
defaultrouter="192.168.1.254"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pf.log"
pflog_flags=""

dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="rl0"

now my output on the webpage should look like this:

IP addresses rl0: 192.168.2.1 /24 <edit-button>
IP addresses rl0: 192.168.1.1 /24 <edit-button>

Route: 0.0.0.0 /0 192.168.1.254 <edit-button>

<add-button>

<apply-button> ----> saves it permanently in the rc.conf file

And for the HTTP session, I'd only like to enable the port for HTTP on the inside (with local auth database)

So this is the whole task, and I am struggling even with part one to choose the right scripting lang:-)

ghostdog74 · September 25, 2008, 9:31am

if you have PHP on your system, you can use that. Its easier to program web application than using Perl cgi.

era · September 25, 2008, 2:14pm

Whatever you use, make sure you have a good understanding of the security implications. It's not just that an attacker could hose your routing; if the application is incorrectly implemented, it might allow an attacker to break in and do even more onerous things to your system (use it to host phishing and malware sites, etc).

unx_united_1980 · October 6, 2008, 10:37am

I would prefer to be able to configure my PF from the Internal LAN interface only, and block all management traffic from the outside intzerface except SSH