Labsco
gensecaihq logo

pfSense MCP Server

โ˜… 73

from gensecaihq

Enables natural language interaction with pfSense firewalls through GenAI applications.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedAccount requiredAdvanced setup

pfSense MCP Server

Manage your pfSense firewall with natural language. 327 tools. 9 layers of safety. One command to start.

You: "Block all traffic from 203.0.113.5 on WAN"
Claude: Creates block rule โ†’ applies changes โ†’ confirms with rollback instructions

pfSense MCP Server connects Claude Desktop, Claude Code, and other MCP-compatible AI clients to your pfSense firewall. Ask questions, diagnose issues, and manage your firewall โ€” all through conversation.

Why This Exists

Managing a pfSense firewall means clicking through web UI tabs, remembering field names, and hoping you don't fat-finger a rule that locks you out. With this MCP server, you describe what you want in plain English and the AI handles the REST API calls, validates inputs, and warns you before anything destructive happens.

What makes it different:

  • Every destructive operation requires explicit confirmation and shows you exactly what will happen
  • Automatic config backup before every delete/reboot โ€” with a one-line rollback command
  • Rate limiting prevents runaway AI loops from flooding your firewall with rules
  • Input sanitization blocks command injection, path traversal, and XSS in every parameter

What You Can Do

327 tools across every major pfSense subsystem:

DomainToolsWhat You Can Do
Firewall Rules9Create, update, delete, reorder rules. Bulk block IPs. View compiled pf ruleset.
Aliases5Manage host/network/port/URL aliases. Add and remove addresses.
NAT16Port forwards, outbound NAT, 1:1 NAT โ€” full lifecycle management.
VPN51OpenVPN servers and clients, IPsec tunnels, WireGuard peers โ€” CRUD, status, apply.
Routing16Gateways, gateway groups, static routes, default gateway management.
DNS24Unbound resolver and dnsmasq forwarder: host overrides, domain overrides, access lists.
DHCP17Leases, static mappings, address pools, custom options, server config.
Certificates15Certs, CAs, CRLs โ€” generate, renew, export PKCS12.
Users12User accounts, groups, LDAP/RADIUS auth server config.
Interfaces14Interface config, VLANs, bridges, groups.
System44Status, settings, diagnostics, config history, reboot, ping.
Services14Start/stop/restart services. NTP, cron, SSH, service watchdog.
Logs3Firewall log analysis with parsed IPv4/IPv6 filterlog data.
Traffic Shaping12Shapers, queues, and limiters for bandwidth management.
Schedules8Time-based firewall rule scheduling.
Virtual IPs5CARP, ProxyARP, and IP Alias management.
Troubleshooting10Diagnose connectivity, blocked traffic, VPN, DHCP, DNS, HA. Full health report.
Packages43HAProxy, ACME/Let's Encrypt, BIND DNS, FreeRADIUS.
Utility9HATEOAS navigation, object ID management, guardrail status.

Safety First

AI managing a production firewall needs guardrails. This server has 9 layers:

"Delete firewall rule 5"

  1. CLASSIFY    โ†’ HIGH risk (destructive)
  2. ALLOWLIST   โ†’ tool is permitted
  3. SANITIZE    โ†’ parameters clean (no injection)
  4. RATE LIMIT  โ†’ under 10 deletes/minute
  5. DRY RUN?    โ†’ user can preview first
  6. CONFIRM     โ†’ blocked until confirm=True
  7. BACKUP      โ†’ config revision captured
  8. EXECUTE     โ†’ API call made
  9. AUDIT LOG   โ†’ action recorded with redacted params

Response includes:
  "config_backup": {
    "pre_change_revision_id": 42,
    "rollback_instruction": "restore_config_backup(revision_id=42, confirm=True)"
  }

Every destructive operation (52 delete/reboot/halt tools) requires confirm=True. Every create and update operation (112 tools) is rate-limited and sanitized. Every sensitive parameter (passwords, keys, tokens) is redacted in logs and outputs.

You can also:

  • Pass dry_run=True to preview any destructive operation without executing
  • Pass verify_descr="Allow HTTPS" to verify you're deleting the right rule (guards against ID shifts)
  • Set MCP_READ_ONLY=true to expose only 130 read-only tools (search, get, diagnose)
  • Set MCP_ALLOWED_TOOLS=search_firewall_rules,get_firewall_log to restrict to specific tools

Supported pfSense Versions

VersionREST APIStatus
pfSense CE 2.8.1v2.7.3Verified
pfSense Plus 25.11v2.7.3Verified
pfSense CE 2.8.0v2.6.0+Supported
pfSense Plus 24.11v2.6.0+Supported

Requires the pfSense REST API v2 package by jaredhendrickson13.

Authentication

Three methods supported (configure in .env):

MethodConfigBest For
Basic AuthAUTH_METHOD=basic + username/passwordQuick setup, local users
API KeyAUTH_METHOD=api_key + key from System > REST API > KeysAutomation, service accounts
JWTAUTH_METHOD=jwt + username/passwordShort-lived tokens, auto-refresh

Testing

python3 -m pytest tests/ -v          # 323 tests
python3 -m pytest tests/ --cov=src   # with coverage

MCP Specification Compliance

Compliant with MCP 2025-11-25 (latest):

  • ToolAnnotations on all 327 tools (readOnlyHint, destructiveHint, idempotentHint)
  • serverInfo.version and instructions provided
  • Origin header validation (MUST requirement)
  • Bearer token auth with timing-safe comparison
  • Default bind to localhost per spec SHOULD
  • stdio and Streamable HTTP transports

Project Structure

src/
  main.py              Entry point
  server.py            FastMCP instance + API client
  client.py            pfSense REST API v2 HTTP client
  guardrails.py        9-layer defense-in-depth system
  helpers.py           Validation, parsing, safety guards
  models.py            Data models
  middleware.py        HTTP auth + Origin validation
  tools/               34 tool modules (327 tools)
tests/                 323 tests