--- id: pfsense-change-safe name: Safe pfSense changes description: >- Backup-before-change workflow, evidence capture, and approval gates for production firewall/NAT edits on vessel pfSense instances. priority: 80 rule_ids: - one-way-audio - no-registration - list-firewall-rules match: keywords: - firewall rule - add rule - change nat - port forward - snat - outbound nat - modify pfsense - fix firewall - blocked - pass rule all_of: [] --- # Safe pfSense changes on vessels ## Read before write (always) 1. List current state: interfaces, firewall rules, port forwards, outbound NAT. 2. Identify the **exact gap** with filter.log or rule tracker IDs — not theory. 3. Capture config backup or export before any write. Agentic OS routes **config-changing fixes** through human approval. Proposed fixes with `is_config_change: true` appear in the task approval queue. ## Pre-change checklist - [ ] Confirmed interface names live (`vtnet2` CREW, `vtnet3` Business, etc.) - [ ] Identified associated NAT + filter rule pairs - [ ] Documented evidence (filter.log line, blocked port/proto, source/dest) - [ ] Backup taken or backup tool available - [ ] Change is minimal — one rule/NAT entry, not broad "allow all" ## Common safe patterns (GeneseasX VoIP) | Fix | Typical rule | |-----|--------------| | One-way audio | Pass UDP 10000-10029 phone VLAN → shipPortal | | RTP SNAT | Outbound NAT for phone subnet RTP to segment VIP | | SIP registration | Port-forward UDP 5060 + pass on phone VLAN | ## What NOT to do - Do not disable pfSense entirely or add overly broad "any any" rules. - Do not assume golden-lab IPs — confirm vessel inventory addresses. - Do not list connect/diagnostic steps as `proposed_fixes` — those belong in `steps_taken`. ## Report expectations When recommending a change: - Describe **exact** rule (interface, proto, ports, source, dest) - Reference evidence from diagnostics already collected - Set `is_config_change: true` only for actual pfSense write operations - Note if MCP writes require `PFSENSE_ALLOW_WRITES=true` on the MCP server ## Post-change verification - Re-test the original symptom (registration, RTP counters, filter.log clean) - Upsert a memory record with rule tracker IDs and outcome for future tasks