bevhost / ansible-module-pfsense Goto Github PK

Hi there,
How do I install this?
Thanks

Hi ¿Can I use pfsense_config to configure Captive Portal?

Hello,

When I try to delete the default LAN rules pfSense creates, I use the pfsense_filter_rules module with the "state: absent" keyword, but it never seems to delete the rule itself. It always returns the task with 'ok' and nothing was changed, while it does show that phpcode was injected.

This is the task in the playbook:

    - name: Delete default LAN rules
      pfsense_filter_rules:
        state: absent
        tracker: '0100000102'

TASK [Delete default LAN rules] ****************************************************************************************

ok: [127.0.0.1 -> 172.29.126.16] => changed=false
  filter_rules:
  - descr: Default allow LAN IPv6 to any rule
    destination:
      any: ''
    interface: lan
    ipprotocol: inet6
    source:
      network: lan
    tracker: '0100000102'
    type: pass
  phpcode: |-
    unset($config['filter']['rule'][8]);
  updated: ''

I tried this with newly created rules (instead of the default ones) but the result is the same.

Ansible galaxy now supports collections, in addition to roles. Collections can contain libraries like this repository.

Providing this would make the installing process considerably simpler, the module/collection can be listed as a requirement, updated etc.

An example of this being done is:

• https://github.com/pfsensible/core
• https://galaxy.ansible.com/pfsensible/core

When adding a floating rule through the 'pfsense_filter_rules' module, they are added in the XML like this:
<floating></floating>

When manually creating a floating rule through the GUI, it contains the 'yes' keyword (tested on 2.4.4-p3, not sure about other versions):
<floating>yes</floating>

The rules themselves work fine regardless of the 'yes' or not by the way.

For us this caused an obscure issue with a module from another repository (in combination with only 1 interface selected on the floating rule itself) that we worked around for, but just reporting this in case it might cause issues for other people.

Due to the way PHP commands are generated, it is easily possible to inject arbitrary PHP code via module parameters. You must still have shell access and admin privileges to use the modules in the first place, but could be problematic if module parameters are loaded from an untrusted source.

- hosts: pfsense
  become: true
  tasks:
    - pfsense_group:
        name: injected'; system_reboot(); echo 'oops
        priv:
          - page-all