Messages

 I am using an example from the docs and it returns an empty result set.  Are the API docs out of date now that the firewall endpoints are built in?

Code Select Expand

rule_description='test_rule_1'
remote_uri="http://192.168.1.1"

# search for rule
r = requests.get("%s/api/firewall/filter/searchRule?searchPhrase=%s" % (
        remote_uri, rule_description
    ),
    auth=(api_key, api_secret), verify=False
)
print("status code", r.status_code, r.text)


Code Select Expand

status code 200 {"rows":[],"rowCount":0,"total":0,"current":1}
rule test_rule_1 not found


Maybe a better question, is there an API endpoint which allows rules to be enabled?

I am looking at these docs and it is unclear if this works on the built-in firewall rules based upon this statement:

Although the plugin does contains a basic user interface (in Firewall ‣ Automation), it's mirely intended as a reference and testbed. There's no relation to any of the rules being managed via the core system.

I frequently disable a rule for testing and then forget to re-enable it.

It would be very nice to be able to have a cron job run nightly to re-enable all the rules for those times that I forget to do so.  However, I am not seeing that ability in the docs.

Am I overlooking the obvious?

Skye

Apologies for the false alarm.  Once I did a full query I see the entry in my DNS logs.

Unfortunately, I am unable to delete my topic/post.

bT

I am running Pi-hole on my LAN network and it works very well.  So, I thought I would utilize it on my guest/DMZ network using NAT.   I port forward all traffic going to port 53 on DMZ to Pi-hole on LAN.

For some reason it does not appear to be working.  If I run dig or nslookup on the DMZ network I do not see the query in the Pi-hole query log.  If anyone sees the flaw in my logic I will be most obliged.

Digging further into the docs there _are_ API endpoints for the firewall.

https://docs.opnsense.org/development/api/core/firewall.html

I am not concerned with MAC spoofing at this point.  Good point on killing states.  Is that something that can be done with OPNsense using the command line or are you speaking of killing open network connections using Linux commands?

> The easiest way: pull the power plug of the access point.

Pulling the plug would mean no computer usage which is not at all the point.   8)

I was hoping that I could enable/disable firewall rules using an API as that would be slick and easy to encorporate into cron.

BSD is hardly a sinking ship.  It may not be the latest, shiny object but BSD is the foundation for quite a few modern applications (Playstation 5 for example).  And the licensing is friendly as well  :-)

Hello OPNsense gurus,

I would like to block internet access by MAC id during specific periods of the day (during testing and quizzes).  Is there a way to do that from the UI or the command line?  The latter would allow me to use cron to schedule the outages, the former would be fine as well.

Thanks!

When creating a Port Forward Rule,  the only options I see for Filter rule association are:

None
Pass

Did I skip a step where a NAT rule was created?

Also, when I enable Reflection for port forwards and Automatic outbound NAT for Reflection, something breaks my rule to forward all DNS traffic to PiHole.  As soon as I enable those settings I am unable to perform name resolution via DNS.

Note: I am running OPNsense 21.7.8-amd64

Understood.  I guess I was thinking that OPNsense knew WAN is the outbound interface to the Internet based upon the fact that it has the default gateway.

I am not a big fan of default allow rules but I don't see a workaround in this case.

After cleaning up the typo my DMZ rules look like this.   Since everything not explicitly passed should be blocked, I should be able to replace the last three rules with "allow to WAN".  However, that does not work for me for some reason.

I found one typo - a CIDR block suffix of /1 rather than /32 which was allowing everything on LAN.

I am doing regression testing now.

Thank you for the great feedback!  Much appreciated.

Greenlan, that rule was not in my original ruleset but more of a hail mary pass to try to contain DNZ - which didn't work.  I will remove that rule.  I also removed the 1st LAN rule.  Good catch!

Thogru, I pretty much followed the same path you outline with a few exceptions.  I followed your steps 1-3 as part of moving off Smallwall to OPNsense last year.  That worked very well.   I just moved DMZ over from Smallwall and brought over the three simple rules.  The only difference was that I set up a NAT port-forward for PiHole DNS.  So, I didn't change any of the default behavior.  If you are aware of why the floating rule " let out anything from firewall host itself" is firing I'd give my right arm to know.

FYI - I am running OPNsense v21.1.4-amd64

I have rules on my DMZ interface as well as my LAN interface blocking traffic from DMZ to LAN but I can still browse to web resources on the LAN network from a web browser on a workstation in the DMZ.  I know I am missing the obvious but I am not currently seeing it.

Attached are my DMZ and LAN rules.

The message in the Live Log for the DMZ -> LAN traffic is:  let out anything from firewall host itself - which is tied to an autogenerated floating rule which I cannot disable.