Netgate SG-1000 microFirewall

Author Topic: A short preview of the "3.0" CLI commands (/r/PFSENSE)  (Read 394 times)

0 Members and 1 Guest are viewing this topic.

Offline biggsy

  • Hero Member
  • *****
  • Posts: 641
  • Karma: +16/-0
    • View Profile
A short preview of the "3.0" CLI commands (/r/PFSENSE)
« on: September 01, 2017, 07:07:06 pm »
I'm already signed up to far too many forums, so asking here.  Apologies if that's not considered appropriate.

Maybe I missed it but there doesn't appear to be an equivalent to this bgpctl command:

neighbor peer clear [reason]

    Stop and restart the BGP session to the specified neighbor.
    If a reason is provided, the reason is sent as Administrative Shutdown Communication to the neighbor.
    The reason cannot exceed 128 octets. Peer may be the neighbor's address or description.

I guess it might be a "corner case" but I find this very useful for recreating an Alias table of blacklisted IPs (maintained via fail2ban/openbgp on another system) after a firewall rule change/reload.

Offline biggsy

  • Hero Member
  • *****
  • Posts: 641
  • Karma: +16/-0
    • View Profile
Re: A short preview of the "3.0" CLI commands (/r/PFSENSE)
« Reply #1 on: September 02, 2017, 03:07:42 am »
Thanks Bill but I'm not sure how it would be related to Squid.  However, I'm not a Squid user either so I could easily be wrong.

I run this bgpctl command from a tiny PHP script called through an afterfilterchange shellcmd.

It causes the BGP peer to resend all the currently blacklisted IPs, which are loaded into an Alias table referenced by a block rule on WAN.  It does this very, very quickly, too.

The only reason for having to do all this is that the Alias table is not managed through the GUI, so it gets cleared on a rule change or reload.
 
Of course, I have no reason to expect this won't be achievable in some other way under 3.0 but it is a very useful function of openbgpd.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3148
  • Karma: +816/-0
    • View Profile
Re: A short preview of the "3.0" CLI commands (/r/PFSENSE)
« Reply #2 on: September 04, 2017, 05:26:53 pm »
Thanks Bill but I'm not sure how it would be related to Squid.  However, I'm not a Squid user either so I could easily be wrong.

I run this bgpctl command from a tiny PHP script called through an afterfilterchange shellcmd.

It causes the BGP peer to resend all the currently blacklisted IPs, which are loaded into an Alias table referenced by a block rule on WAN.  It does this very, very quickly, too.

The only reason for having to do all this is that the Alias table is not managed through the GUI, so it gets cleared on a rule change or reload.
 
Of course, I have no reason to expect this won't be achievable in some other way under 3.0 but it is a very useful function of openbgpd.

Sorry...just realized today that I posted my reply to the wrong thread ...  :-[

Bill