Messages

1

23.7 Legacy Series / Re: Is it possible to enable firewall rules via the command line / cron?

« on: July 08, 2024, 02:43:40 am »

 I am using an example from the docs and it returns an empty result set.  Are the API docs out of date now that the firewall endpoints are built in?

Code: [Select]

rule_description='test_rule_1'
remote_uri="http://192.168.1.1"

# search for rule
r = requests.get("%s/api/firewall/filter/searchRule?searchPhrase=%s" % (
        remote_uri, rule_description
    ),
    auth=(api_key, api_secret), verify=False
)
print("status code", r.status_code, r.text)


Code: [Select]

status code 200 {"rows":[],"rowCount":0,"total":0,"current":1}
rule test_rule_1 not found


2

24.1 Legacy Series / Re: toggleRule api

« on: July 04, 2024, 12:49:13 am »

I am looking at these docs and it is unclear if the API works on the built-in firewall rules based upon this statement:

Although the plugin does contains a basic user interface (in Firewall ‣ Automation), it’s mirely intended as a reference and testbed. There’s no relation to any of the rules being managed via the core system.

Either the docs are broken or those API endpoints are not for the built-in firewall.  I am trying to figure out the same thing.

3

23.7 Legacy Series / Re: Is it possible to enable firewall rules via the command line / cron?

« on: July 04, 2024, 12:45:24 am »

Maybe a better question, is there an API endpoint which allows rules to be enabled?

I am looking at these docs and it is unclear if this works on the built-in firewall rules based upon this statement:

Although the plugin does contains a basic user interface (in Firewall ‣ Automation), it’s mirely intended as a reference and testbed. There’s no relation to any of the rules being managed via the core system.

4

23.7 Legacy Series / Is it possible to enable firewall rules via the command line / cron / API?

« on: June 10, 2024, 08:51:51 pm »

I frequently disable a rule for testing and then forget to re-enable it.

It would be very nice to be able to have a cron job run nightly to re-enable all the rules for those times that I forget to do so.  However, I am not seeing that ability in the docs.

Am I overlooking the obvious?

Skye

5

23.7 Legacy Series / Re: Sharing DNS on LAN with DMZ network

« on: November 30, 2023, 07:47:23 am »

Apologies for the false alarm.  Once I did a full query I see the entry in my DNS logs.

Unfortunately, I am unable to delete my topic/post.

bT

6

23.7 Legacy Series / Sharing DNS on LAN with DMZ network

« on: November 30, 2023, 07:37:08 am »

I am running Pi-hole on my LAN network and it works very well.  So, I thought I would utilize it on my guest/DMZ network using NAT.   I port forward all traffic going to port 53 on DMZ to Pi-hole on LAN.

For some reason it does not appear to be working.  If I run dig or nslookup on the DMZ network I do not see the query in the Pi-hole query log.  If anyone sees the flaw in my logic I will be most obliged.

7

General Discussion / Re: Scheduled filtering by MAC address

« on: March 01, 2023, 11:13:40 pm »

Digging further into the docs there _are_ API endpoints for the firewall.

https://docs.opnsense.org/development/api/core/firewall.html

8

General Discussion / Re: Scheduled filtering by MAC address

« on: March 01, 2023, 09:07:08 pm »

I am not concerned with MAC spoofing at this point.  Good point on killing states.  Is that something that can be done with OPNsense using the command line or are you speaking of killing open network connections using Linux commands?

> The easiest way: pull the power plug of the access point.

Pulling the plug would mean no computer usage which is not at all the point.   

I was hoping that I could enable/disable firewall rules using an API as that would be slick and easy to encorporate into cron.

9

General Discussion / Re: Why BSD base. Why not Linux base?

« on: March 01, 2023, 06:22:08 am »

BSD is hardly a sinking ship.  It may not be the latest, shiny object but BSD is the foundation for quite a few modern applications (Playstation 5 for example).  And the licensing is friendly as well  :-)

10

General Discussion / Scheduled filtering by MAC address

« on: March 01, 2023, 02:25:22 am »

Hello OPNsense gurus,

I would like to block internet access by MAC id during specific periods of the day (during testing and quizzes).  Is there a way to do that from the UI or the command line?  The latter would allow me to use cron to schedule the outages, the former would be fine as well.

Thanks!

11

Tutorials and FAQs / Re: [Tutorial] How I do port forwarding - simple and straightforward

« on: September 11, 2022, 02:33:31 am »

When creating a Port Forward Rule,  the only options I see for Filter rule association are:

None
Pass

Did I skip a step where a NAT rule was created?

Also, when I enable Reflection for port forwards and Automatic outbound NAT for Reflection, something breaks my rule to forward all DNS traffic to PiHole.  As soon as I enable those settings I am unable to perform name resolution via DNS.

Note: I am running OPNsense 21.7.8-amd64

12

21.1 Legacy Series / Re: Unable to block traffic from DMZ to LAN

« on: June 04, 2021, 12:12:57 am »

Understood.  I guess I was thinking that OPNsense knew WAN is the outbound interface to the Internet based upon the fact that it has the default gateway.

I am not a big fan of default allow rules but I don't see a workaround in this case.

13

21.1 Legacy Series / Re: Unable to block traffic from DMZ to LAN

« on: June 03, 2021, 11:05:27 pm »

After cleaning up the typo my DMZ rules look like this.   Since everything not explicitly passed should be blocked, I should be able to replace the last three rules with "allow to WAN".  However, that does not work for me for some reason.

14

21.1 Legacy Series / Re: Unable to block traffic from DMZ to LAN

« on: June 03, 2021, 09:21:22 pm »

I found one typo - a CIDR block suffix of /1 rather than /32 which was allowing everything on LAN.

I am doing regression testing now.

15

21.1 Legacy Series / Re: Unable to block traffic from DMZ to LAN

« on: June 03, 2021, 06:17:17 pm »

Thank you for the great feedback!  Much appreciated.

Greenlan, that rule was not in my original ruleset but more of a hail mary pass to try to contain DNZ - which didn't work.  I will remove that rule.  I also removed the 1st LAN rule.  Good catch!

Thogru, I pretty much followed the same path you outline with a few exceptions.  I followed your steps 1-3 as part of moving off Smallwall to OPNsense last year.  That worked very well.   I just moved DMZ over from Smallwall and brought over the three simple rules.  The only difference was that I set up a NAT port-forward for PiHole DNS.  So, I didn't change any of the default behavior.  If you are aware of why the floating rule " let out anything from firewall host itself" is firing I'd give my right arm to know.

FYI - I am running OPNsense v21.1.4-amd64