OPNsense Forum
Archive => 16.7 Legacy Series => Topic started by: xayide on November 28, 2016, 02:25:44 pm
-
Hello,
I searched forums and found out that I cannot use the API to turn off a specific rule. Can I use SSH or directly via some kind of weburl/post or whats my options?
I want to setup a simple webpage for my wife to be able to shut internet off for the kids so they can go to bed ;)
-
Hi!
You could use a scheduled rule to end internet access at a certain time of day (or night :-D ), keep in mind you have to kill exisitng states so that the internet use REALLY stops.
Or: Put the kiddies on their own wifi with a cheap access point (connect LAN port to a LAN port of your opnsense, disable DHCP on the access point, apply fixed IP OUTSIDE the IP range of the respective LAN net). And make your wife pull the power plug of the access point when necessary. Or use a cheap timer power switch....
-
I was thinking maybe to adapt firewall_rules_edit.php to show two rules and only show the description and Enable/Disable switch. I looked at the sourcecode, but couldnt really figure how it applies changes, is it database ? Or does it hold the whole rule-set in memory and writes out a pf.conf?
-
Changes to firewall rule on/off are synced to /conf/config.xml, afterwards you need to reload the filter to apply these modifications and this will generate all necessary files and run the appropriate commands.
The subject of prototyping APIs based on static PHP pages came up a few times and it's an easy way to get your personal use case up and running. You basically only delete all the things you don't need abd if you are careful you can even add a custom ACL + user. Some of this ties into plugin behaviour documented here:
https://docs.opnsense.org/development/examples/helloworld.html?highlight=plugins#plugin-to-access-control-acl
Cheers,
Franco
-
Oh thanks I will read that!
Only thing left is user auth which I prefer to be public on lan.
this is the code I cam up with since all these blockrules apply on floating rules it was relatively easy to adapt it.
<?php
require_once("guiconfig.inc");
require_once("filter.inc");
if (!isset($config['filter']['rule'])) {
$config['filter']['rule'] = array();
}
$a_filter = &$config['filter']['rule'];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
if (isset($pconfig['id']) && isset($a_filter[$pconfig['id']])) {
// id found and valid
$id = $pconfig['id'];
}
if (isset($pconfig['act']) && $pconfig['act'] == 'toggle' && isset($id)) {
// toggle item
if(isset($a_filter[$id]['disabled'])) {
unset($a_filter[$id]['disabled']);
} else {
$a_filter[$id]['disabled'] = true;
}
write_config();
filter_configure();
header(url_safe('Location: /block.php?rand=%s', rand()));
exit;
}
}
include("head.inc");
?>
<body>
<script type="text/javascript">
$( document ).ready(function() {
// link toggle buttons
$(".act_toggle").click(function(event){
event.preventDefault();
var id = $(this).attr("id").split('_').pop(-1);
$("#id").val(id);
$("#action").val("toggle");
$("#iform").submit();
});
});
</script>
<form action="block.php?rand=<?=rand();?>" method="post" name="iform" id="iform">
<input type="hidden" id="id" name="id" value="" />
<input type="hidden" id="action" name="act" value="" />
<table class="table table-striped table-hover" id="rules">
<thead>
<tr>
<th> </th>
<th> </th>
</tr>
</thead>
<tbody>
<?php
foreach ($a_filter as $i => $filterent):
if ((isset($filterent['floating']))):
// select icon
if ($filterent['type'] == "block" && empty($filterent['disabled'])) {
$iconfn = "glyphicon-remove text-danger";
} elseif ($filterent['type'] == "block" && !empty($filterent['disabled'])) {
$iconfn = "glyphicon-remove text-muted";
} elseif ($filterent['type'] == "reject" && empty($filterent['disabled'])) {
$iconfn = "glyphicon-remove-sign text-danger";
} elseif ($filterent['type'] == "reject" && !empty($filterent['disabled'])) {
$iconfn = "glyphicon-remove-sign text-muted";
} else if ($filterent['type'] == "match" && empty($filterent['disabled'])) {
$iconfn = "glyphicon-ok text-info";
} else if ($filterent['type'] == "match" && !empty($filterent['disabled'])) {
$iconfn = "glyphicon-ok text-muted";
} elseif (empty($filterent['disabled'])) {
$iconfn = "glyphicon-play text-success";
} else {
$iconfn = "glyphicon-play text-muted";
}
?>
<tr class="rule" data-category="<?=!empty($filterent['category']) ? $filterent['category'] : "";?>">
<td>
<a href="#" class="act_toggle" id="toggle_<?=$i;?>" data-toggle="tooltip" title="<?=(empty($filterent['disabled'])) ? gettext("disable rule") : gettext("enable rule");?>"><span class="glyphicon <?=$iconfn;?>"></span></a>
</td>
<td>
<?=htmlspecialchars($filterent['descr']);?>
</td>
</tr>
<?php
endif;
endforeach;
?>
</tbody>
</table>
</form>
<?php include("foot.inc"); ?>
-
You can also use an API key for access, this works with curl very well:
https://docs.opnsense.org/development/how-tos/api.html
Cheers,
Franco
-
Seems browsers think it is a phising site if I use this syntax...
https://key:secret@ip-number/url/document.php?var1=val1
Is it possible to somehow do something like this?
https://ip-number/url/document.php?var1=val1&key=api-key-value&secret=api-secret-value
-
Hmm, this is just basic HTTP auth syntax from an RFC'ed feature -- it's preference if the former or latter link looks more like a phishing link. ;)
The latter link suffers from having to pass all the input to the server-side script do do authentication in-line in a GET fashion, which cannot really be secured. For authentication, we simply don't do this as it leaves the door open for more attack vectors.
Scripting with Curl is fine in any case, unless you need a website. In this case you'll fare better with a normal style login (which is prompted by the page before executing the page itself).
Cheers,
Franco
-
I mas as well build this as a normal plugin, I have the example of hello-world. I post it here when finished.