OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: xayide on November 28, 2016, 02:25:44 pm

Title: Turn rule on/off by remotecomputer cli or api
Post by: xayide on November 28, 2016, 02:25:44 pm

Hello,

I searched forums and found out that I cannot use the API to turn off a specific rule. Can I use SSH or directly via some kind of weburl/post or whats my options?

I want to setup a simple webpage for my wife to be able to shut internet off for the kids so they can go to bed ;)

Title: Re: Turn rule on/off by remotecomputer cli or api
Post by: chemlud on November 28, 2016, 03:42:24 pm

Hi!

You could use a scheduled rule to end internet access at a certain time of day (or night :-D ), keep in mind you have to kill exisitng states so that the internet use REALLY stops.

Or: Put the kiddies on their own wifi with a cheap access point (connect LAN port to a LAN port of your opnsense, disable DHCP on the access point, apply fixed IP OUTSIDE the IP range of the respective LAN net). And make your wife pull the power plug of the access point when necessary. Or use a cheap timer power switch....

Title: Re: Turn rule on/off by remotecomputer cli or api
Post by: xayide on December 05, 2016, 05:30:54 pm

I was thinking maybe to adapt firewall_rules_edit.php to show two rules and only show the description and Enable/Disable switch. I looked at the sourcecode, but couldnt really figure how it applies changes, is it database ? Or does it hold the whole rule-set in memory and writes out a pf.conf?

Title: Re: Turn rule on/off by remotecomputer cli or api
Post by: franco on December 05, 2016, 05:42:34 pm

Changes to firewall rule on/off are synced to /conf/config.xml, afterwards you need to reload the filter to apply these modifications and this will generate all necessary files and run the appropriate commands.

The subject of prototyping APIs based on static PHP pages came up a few times and it's an easy way to get your personal use case up and running. You basically only delete all the things you don't need abd if you are careful you can even add a custom ACL + user. Some of this ties into plugin behaviour documented here:

https://docs.opnsense.org/development/examples/helloworld.html?highlight=plugins#plugin-to-access-control-acl

Cheers,
Franco

Title: Re: Turn rule on/off by remotecomputer cli or api
Post by: xayide on December 05, 2016, 07:10:52 pm

Oh thanks I will read that!
Only thing left is user auth which I prefer to be public on lan.
this is the code I cam up with since all these blockrules apply on floating rules it was relatively easy to adapt it.

Code: [Select]

<?phprequire_once("guiconfig.inc");require_once("filter.inc");if (!isset($config['filter']['rule'])) {    $config['filter']['rule'] = array();}$a_filter = &$config['filter']['rule'];if ($_SERVER['REQUEST_METHOD'] === 'POST') {    $pconfig = $_POST;    if (isset($pconfig['id']) && isset($a_filter[$pconfig['id']])) {        // id found and valid        $id = $pconfig['id'];    }    if (isset($pconfig['act']) && $pconfig['act'] == 'toggle' && isset($id)) {        // toggle item        if(isset($a_filter[$id]['disabled'])) {            unset($a_filter[$id]['disabled']);        } else {            $a_filter[$id]['disabled'] = true;        }        write_config();        filter_configure();        header(url_safe('Location: /block.php?rand=%s', rand()));        exit;    }}include("head.inc");?>

<body>
<script type="text/javascript">
$( document ).ready(function() {
    // link toggle buttons
  $(".act_toggle").click(function(event){
    event.preventDefault();
    var id = $(this).attr("id").split('_').pop(-1);
    $("#id").val(id);
    $("#action").val("toggle");
    $("#iform").submit();
  });

});
</script>


            <form action="block.php?rand=<?=rand();?>" method="post" name="iform" id="iform">
              <input type="hidden" id="id" name="id" value="" />
              <input type="hidden" id="action" name="act" value="" />
                <table class="table table-striped table-hover" id="rules">
                  <thead>
                    <tr>
                      <th>&nbsp;</th>
                      <th>&nbsp;</th>
                  </tr>
                </thead>
                <tbody>


<?php                foreach ($a_filter as $i => $filterent):                if ((isset($filterent['floating']))):                  // select icon                  if ($filterent['type'] == "block" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove text-danger";                  } elseif ($filterent['type'] == "block" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove text-muted";                  }  elseif ($filterent['type'] == "reject" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove-sign text-danger";                  }  elseif ($filterent['type'] == "reject" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-remove-sign text-muted";                  } else if ($filterent['type'] == "match" && empty($filterent['disabled'])) {                      $iconfn = "glyphicon-ok text-info";                  } else if ($filterent['type'] == "match" && !empty($filterent['disabled'])) {                      $iconfn = "glyphicon-ok text-muted";                  } elseif (empty($filterent['disabled'])) {                      $iconfn = "glyphicon-play text-success";                  } else {                      $iconfn = "glyphicon-play text-muted";                  }?>

                  <tr class="rule" data-category="<?=!empty($filterent['category']) ? $filterent['category'] : "";?>">
                    <td>
                      <a href="#" class="act_toggle" id="toggle_<?=$i;?>" data-toggle="tooltip" title="<?=(empty($filterent['disabled'])) ? gettext("disable rule") : gettext("enable rule");?>"><span class="glyphicon <?=$iconfn;?>"></span></a>
                    </td>
                    <td>
                      <?=htmlspecialchars($filterent['descr']);?>
                    </td>
                  </tr>
<?php                  endif;                  endforeach;?>

                </tbody>
              </table>
          </form>


<?php include("foot.inc"); ?>


			
				Title: Re: Turn rule on/off by remotecomputer cli or api

				Post by: franco on December 05, 2016, 07:23:45 pm
			
			
				You can also use an API key for access, this works with curl very well:

https://docs.opnsense.org/development/how-tos/api.html


Cheers,
Franco


			
			
				Title: Re: Turn rule on/off by remotecomputer cli or api

				Post by: xayide on December 05, 2016, 09:13:46 pm
			
			
				Seems browsers think it is a phising site if I use this syntax...

https://key:secret@ip-number/url/document.php?var1=val1


Is it possible to somehow do something like this?

https://ip-number/url/document.php?var1=val1&key=api-key-value&secret=api-secret-value
			
			
				Title: Re: Turn rule on/off by remotecomputer cli or api

				Post by: franco on December 06, 2016, 06:51:22 am
			
			
				Hmm, this is just basic HTTP auth syntax from an RFC'ed feature -- it's preference if the former or latter link looks more like a phishing link. ;)

The latter link suffers from having to pass all the input to the server-side script do do authentication in-line in a GET fashion, which cannot really be secured. For authentication, we simply don't do this as it leaves the door open for more attack vectors.

Scripting with Curl is fine in any case, unless you need a website. In this case you'll fare better with a normal style login (which is prompted by the page before executing the page itself).


Cheers,
Franco
			
			
				Title: Re: Turn rule on/off by remotecomputer cli or api

				Post by: xayide on December 06, 2016, 08:56:08 am
			
			
				I mas as well build this as a normal plugin, I have the example of hello-world. I post it here when finished.


		
			
			SMF 2.0.19 |
 SMF © 2021, Simple Machines
Privacy Policy