Messages

https://docs.opnsense.org/manual/firewall_automation.html#processing-order

again, thx a lot for your helps for saving my time. this topic is SOVLED

Did you look at Firewall - Automation - Filter and select the OpenVPN Group?

Yes but I didn't see there are different groups. and yes, all my customs rules are here.
great thanks for your helps. But how automation rules interact with openvpn under "rules" group ?? are they parsed before ?

Hi:
I'm fighting for hours to add a firewall rule on, lets say, openvpn interface.

Code Select Expand

def add_firewall_rules(cn):
    payload = {
          "rule":{
              "interface": "openvpn",
              "type": "pass",
              "direction": "in",
  "quick": "1",
              "ipprotocol": "inet",
              "protocol": "TCP/UDP",
              "source": {
                  "address": cn + "_net"
                },
              "enabled": "1",
              "destination": {
                  "address": cn + "_openvpn_host",
                  "port": cn + '_port',
                },

             "description": cn + 'fw1'
               }
            }
result=add_firewall_rules(cn)
    print(result)
this's a very basic example. The API gives me an valid answers such like:

Code Select Expand

'result': 'saved', 'uuid': 'f2d28fb8-84a8-4f9c-a049-6f0ee2755e9c'}that's fine. But, the added rule is not visible on GUI interface. I'm looking for it for hours but it's invisible.
I'm able to find it on confi.xml file but on another paragraph.

for example:
here's visible firewall rule on conf.xml:
under:  opensense->flter->

But the mine are under:  opensense -> OPNsense -> Firewall -> <Filter version="1.0.4"> -> rules

So... humm.... I tried to get my rule with;

https://mystrangeopnsense.doctor.strange.somewhere/api/firewall/filter/get_rule/f2d28fb8-84a8-4f9c-a049-6f0ee2755e9c
and I get it.
So my question is: why is it invisible on GUI ??

When you try to enter that in the web UI, you will get an error, too. When you expand the text in the content box, you see that a correct list will be showing every port on its own line. In the JSON, you need to have a string like "8\n18".

That works well. Thanks for helps.

From what that shows, the listed ports are transmitted one per line, separated by a newline character, not by a comma. A range would probably be given by 1:18, not 1-18.

Yeah, you right. a port range is more like 1:18. but I don't understand what you mean by " separated by a newline character". "content": "8,18" is not supposed to put 8,18 in content ?

Hi,

I'm trying to add a ports list to an alias by API

Code Select Expand

def add_client_dstport_alias(cn, cn_ports):
    payload = {
        "alias": {
            "type": "port",
            "enabled": "1",
            "name": cn + '_port',
            "description": cn,
            "content": "8,18",
            "proto": "",
            "updatefreq": "",
            "counters": "0",
            "categories": ""
        }
    }
    return api_post('/api/firewall/alias/addItem', payload)and I got en error:
Entry "8,18" is not a valid port number
I tried different ways to add ports, such like a port range: 8-18, and I got same error. But if I add just one port by API, it works. If I add the other ports on GUI by hand, evreything goes well.

Please help me

regards

Hi,
After reading API documentations, It seems that there's no way to manage CRL list by API ? is that correct ? is so, How can I do that by scripting something? I scripted a dirty python script to play with config.xml file for OTP usage. But I don't think that's very recommended.

Thanks for your helps

I don't know how radius server can help me to manage user's TOTP token. I discovered a magical option who can make user to manage thier own TOTP token at:

System: Settings: Administration: User OTP seed

I create a specific group and associate     System: User Password Manager privilege to it. I added user to this group but, user can not loggin, even the password is correct:


2024-09-24T18:29:40   Informational   configd.py   action allowed system.event.config_changed for user root   
2024-09-24T18:29:39   Notice   audit   /index.php: User logged out for user 'test' from: 172.21.22.15   
2024-09-24T18:29:39   Notice   audit   /index.php: Successful login for user 'test' from: 172.21.22.15

so, as you can see, I'm loggin, and... logged out immediatly, and root did something I don't know what to kick me out of the group.

When give to myself Password Manager privilege on my own profile page, I can loggin to change my password, which is not good since I'm imported from AD, but I don't have options to change or generate TOTP token......

If users can interacte with thier password managment page, that would be perfect, but it seems to bugging or I missed something.

I discoverd that users in /config/config.xml can be modified onlive. So.... I'm always to do it a better way.

Hi,
I've about 850 users to import from Active Directory to opnsense in order to play with openvpn + AD + TOTP authentcation.

Actually, I'm able to import just one single user which works fine. but it there a simple way to import 850 users ( Yeah, I can do it by clicking on cloud) AND generate TOTP token for each of them?

I plan to play with xml config file and restore it with a python script, but it's not very clean, and I've to reboot opnsense to import the new xml config file. Because I didn't find a way to do the job with API....

thanks for your helps.