How can I Control the PF Firewall in DA?

I

IT_Architect

Verified User
Joined
Feb 27, 2006
Messages
1,088
How can I Control the PF Firewall in DA? Being able to start, stop, restart, and reload it PF useful for when someone gets themselves blacklisted so the firewall can be reloaded and tables cleared without going in ssh.

Thanks
 
I'm not sure how BSD handles the firewall, but I suspect that it is not a service. As a result DA's service monitor probably would not be able to manage it in the same way as Apache, exim, and so on.
 
Exactly. That's why I'm asking. I was thinking service monitor first too, then I started looking for a pid, and didn't find one, and then I thought no problem, I'll make one, and then the bulb came on, "Oh duh, this is a kernel loadable module we're talking here. Not only isn't there a pid, there is no way I can make one for it either." The only thing I can think of is a plugin.
 
A firewall is not a process, but it can be controlled by a startup script.

I don't have a FreeBSD system to look at, but you can certainly use a startup script to control a firewall; for example, CentOS uses a startup script to control iptables. Knowing whether it's running or not is a bit harder, but it's doable as well; the CentOS iptables startup script has a working status command.

Once you've got a startup script you can use it with the DirectAdmin service monitor.

You can probably find a sample startup script somewhere on the 'net, but if you can't, let me know, and I'll attach a copy of the CentOS startup script to a future post.

Note that you won't be able to use it as-is, or even close to as-is, and you'll have to know a lot about how the PF firewall is controlled, but it'll give you a framework to look at.

Let me know if you can't find one.

Jeff
 
Once you've got a startup script you can use it with the DirectAdmin service monitor.....you'll have to know a lot about how the PF firewall
Click to expand...
I have those covered. I'd need to code something to determine if it is running. Perhaps write a script that creates a fake pid, check the status, and set it to one number if it is off and another if it is running? I've added regular processes to service monitor before but I really don't understand enough of how service monitor works to go further.
 
Last edited:
@Rich-Boy,

You can look at CSF all you'd like; it won't work with a FreeBSD server. CSF is a control system for iptables, which runs netfilter, which is built into the Linux kernel. PF (Packet Filter) is the FreeBSD equivalent, but they're not the same and do not use the same syntax.

@IT_Architect,

I don't know if you need a phony pid or if you can just check something in the firewall as we do with Linux.

Jeff
 
jlasman said:
I don't know if you need a phony pid or if you can just check something in the firewall as we do with Linux.
Click to expand...
I can do that fine.

My question would be what are the requirements for making Service Monitor work properly? I don't understand its architecture. If it works like watchdog scripts, it checks the pid, which holds the process number for the daemon. When a daemon closes, it removes the pid. When the process terminates unexpectedly, it leaves the pid behind, but the watchdog figures that out by checking to see if the process in the pid is running in memory, and if not, restarts it. Perhaps Service Monitor works the same way?

IF Service Manager does work that way, I would need to write a daemon. We'll call it pfmonit.
- If Service Monitor calls the pfmonit's rc.d script with the start parameter, the script would call pf's rc.d script with the start option, then call the pfmonit daemon, and then create a pid with pfmonits process number.
- If Service Monitor calls the rc.d script with the stop parameter, the script would call pfmonit's rc.d script with the stop option, at which time pfmonit would call pf's rc.d script with the stop parameter, then kill pfmonit, and then remove pfmonit's pid.
- Restarts simply combine the first second and first option as usual.
- The only thing the daemon would do is monitor the status of the firewall. If something goes wrong, the daemon would simply need to do is exit. The Service Monitor during normal checks would find the pid no longer points to a valid process, and issue a call to pfmonit's rc.d script to get it running again.

Any thoughts, simplifications, or corrections?

Thanks
 
Thinking about it in more details, I'm guessing that Service Monitor does check PIDs; after all, it reports them to the user on the DirectAdmin admin page.

So I suppose you would have to have one.

I'm not sure if it checks memory or not; you might want to ask DirectAdmin Support.

I do know that the Service Manager will remove any reference to monitoring from the monitor function if you turn it off from the webpage, and will reinsert it, if it's not there, when you start it from the webpage.

Which is why if you turn off a service from the command line and it's on in the Service Monitor, it'll get turned on the next time the cronjob runs (every minute).

Jeff
 
You must log in or register to reply here.
Back
Top