pfctl dynamically add and remove rules from commandline

Status
Not open for further replies.
Hi,

I am trying to add and remove from commadline on the fly .I have tried like below--

1.I have written the below line on /etc/pf.conf to create anchor.
Code:
"anchor goodguys"
2. Then I have loaded the pf.conf file like below
pfctl -f /etc/pf.conf
3.Then I have added a rule like below
echo "block in proto icmp from 10.0.104.140 to any"| pfctl -a goodguys -f -
4. Up to this it's working fine.
But now If want to add new rule it replacing the previous rule .

How I will keep on add and delete the new rule on the same anchor on run time.

Please help.
 
The -f option replaces your existing anchor rules. Just like pfctl -f /etc/pf.conf replaces all your rules. If you want to add IP addresses to existing rules use a table.
 
The -f option replaces your existing anchor rules. Just like pfctl -f /etc/pf.conf replaces all your rules. If you want to add IP addresses to existing rules use a table.
Thanks for your reply.

But My requirement is If I want to add a new rules totally via commandline under the same anchor, then how I will achieve it
 
The only way to "add" rules would be be to read the existing rules, add your new rule to this list and load the adjusted rules. But I would suggest rethinking your solution, you're probably making it more complex than necessary.
 
The only way to "add" rules would be be to read the existing rules, add your new rule to this list and load the adjusted rules. But I would suggest rethinking your solution, you're probably making it more complex than necessary.

Thanks Dice.

Actually I am going to implement Firewall On MAC Endpoint. So we have a Policy Engine which used to send policy for the Endpoint for
different server accessibility .Let assume we have server A and B, endpoint is C .So if the Policy is like for server A ICMP blocked and for server B SSH blocked,So want to add these two rule dynamically on same anchors, and in future On demand basis I have to delete and modify the rules as well.So is this type of scenario is possible to achieve through command line pfctl or should I write the rules on file and load every time ??
Please suggest!
 
Status
Not open for further replies.
Back
Top