OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: manuel on May 14, 2021, 02:41:31 pm
-
Hello
I managed to toggle a firewall alias to enable and disable through the api with postman. Unfortunately it seems, that after this change a firewall reload seems to be necessary. How can I do this through the api?
My goal is to enable/disable a firewall rule to block my kids devices completely from accessing the internet. For this reason I created a firewall alias with all ips of my kids devices and then I created a firewall rule using that alias as source.
I just want to enable/disable that rule or alias very quickly from my smartphone without accessing the web gui. Any advice is very welcome. ;)
Thank you for your help.
Greetings Manuel
-
There is an additional plugin which I believe adds some more API features for the firewall, not sure if that will help.
Another way which I have seen in production is to have two aliases with the rules applied (one block, one pass), and you move the ip's accordingly between the aliases via the API which doesn't need a firewall reload.
I think the newish firewall plugin was meant to make it easier than the above workaround, though I haven't investigated.
-
Hello Astucky
Thank you for your answer. Will try this out.
Regards Manuel
-
I use IP-Tables using Alias -> External (advanced). The tables you can specifiy in your firewall rules and via bash-scripts or PHP you can add, remove resp. restore after boot entries in these IP tables using commands like
/sbin/pfctl -t ex_accessible_destination_IPs -T add 0.0.0.0/0 2>&1
/sbin/pfctl -t ex_accessible_destination_IPs -T remove 0.0.0.0/0 2>&1
No need to update any firewall rule. Immediately after you changed the IP-Table it's valid.
I use it to lock access for all clients or sometimes only for specific IP's. Consider to negate rules as an option.
Maybe it helps!