pfsense-mcp-server

概述

这个 MCP 服务器将 Claude Desktop 等 AI 助手通过 REST/XML-RPC/SSH 连接到 pfSense 防火墙。它提供全面的防火墙管理功能，同时实施强大的安全措施，包括自动备份、破坏性操作的明确确认和输入清理。服务器支持多种 pfSense 版本和认证方法，适合各种企业环境。

试试问 AI

装完之后，这里有 5 个你可以让 AI 做的事：

• create_firewall_rule

  Creates a new firewall rule with specified action, interface, protocol, and source/destination

  试试:Create a firewall rule to block traffic from 203.0.113.5 on WAN试试:Add a rule to allow HTTPS traffic to my server
• get_firewall_rules

  Retrieves current firewall rules with filtering options

  试试:Show me all firewall rules试试:List blocked traffic rules on LAN interface
• create_port_forward

  Creates a new NAT port forward rule to redirect external traffic to internal hosts

  试试:Create a port forward for port 443 to 192.168.1.50试试:Forward SSH from external IP to my server
• start_openvpn_server

  Starts an OpenVPN server with specified configuration

  试试:Start the OpenVPN server for remote access试试:Initialize VPN with client certificates
• create_static_route

  Adds a static route to the routing table

  试试:Add a static route for 10.10.0.0/24 via 192.168.1.1试试:Create route for remote network
• get_system_status

  Retrieves comprehensive system status including uptime, interfaces, and services

  试试:Show me system status试试:Check if all services are running
• create_dns_override

  Creates a DNS override entry for specific hosts or domains

  试试:Override internal.example.com to 192.168.1.10试试:Block ads.example.com resolution
• run_system_health_check

  Performs a comprehensive health check of the pfSense system

  试试:Run a full system health check试试:Check for any system issues
• add_dhcp_static_mapping

  Adds a static DHCP mapping for a specific MAC address

  试试:Add static mapping for server at 192.168.1.100试试:Reserve IP for printer with MAC AA:BB:CC:DD:EE:FF
• generate_self_signed_cert

  Generates a self-signed SSL certificate for internal services

  试试:Generate a self-signed certificate for HTTPS试试:Create certificate for VPN authentication
• block_ip

  Blocks a specific IP address at the firewall level

  试试:Block traffic from 203.0.113.5试试:Add 192.168.1.100 to block list
• run_pci_compliance_check

  Performs a PCI compliance check on firewall configuration

  试试:Run a PCI compliance check试试:Check firewall rules for PCI compliance

可对比工具

安装

git clone https://github.com/gensecaihq/pfsense-mcp-server.git
cd pfsense-mcp-server
pip install -r requirements.txt
cp .env.example .env
# 编辑 .env: 设置 PFSENSE_URL、AUTH_METHOD 和凭证

{
  "mcpServers": {
    "pfsense": {
      "command": "python3",
      "args": ["-m", "src.main"],
      "cwd": "/path/to/pfsense-mcp-server",
      "env": {
        "PFSENSE_URL": "https://192.168.1.1",
        "AUTH_METHOD": "basic",
        "PFSENSE_USERNAME": "admin",
        "PFSENSE_PASSWORD": "your-password",
        "PFSENSE_VERSION": "CE_2_8_0",
        "VERIFY_SSL": "false"
      }
    }
  }
}

FAQ

此服务器实施哪些安全措施？

服务器包含9层安全防护：输入清理、破坏性操作的明确确认、更改前的自动配置备份、防止AI失控的速率限制，以及敏感参数脱密的审计日志。

支持哪些 pfSense 版本？

验证版本包括带有 REST API v2.7.3 的 pfSense CE 2.8.1 和 pfSense Plus 25.11。还支持带有 REST API v2.6.0+ 的 pfSense CE 2.8.0 和 pfSense Plus 24.11。

pfsense-mcp-server 对比