Firewall API use

Started by datiscum, October 30, 2018, 09:31:47 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
October 30, 2018, 09:31:47 PM
First simple test:
I have assembled the URL to test the Firewall API as follows.

https://192.168.11.1/api/firewall/aliasutil/aliases

{"message":"controller OPNsense\\Firewall\\Api\\AliasutilController not found","status":400}

In the path: /usr/local/opnsense/mvc/app/controllers/OPNsense/Firewall/Api

I copied the following file

cp AliasUtilController.php AliasutilController.php
Please pay attention to upper/lower case here

After that it worked and I got back a list of all defined aliases.

Did I do something wrong?
or does it have to be corrected ?

Which call can be used to reload an "alias" ?



October 31, 2018, 07:46:17 PM #1
This should do it. :)

https://192.168.11.1/api/firewall/alias_util/aliases


Cheers,
Franco
October 31, 2018, 07:49:31 PM #2
PS: a POST to api/firewall/alias/reconfigure will reload the aliases for the firewall to use.
November 02, 2018, 06:03:30 PM #3
Thanks, the URL works now.

But by reloading an alias, I meant something else.
I would like to trigger the reloading of a "URL Table (IPs)" before the time has elapsed.
e.g. /api/firewall/alias/reconfigure/MyAlias

I couldn't find an API call that seemed to do that.

November 02, 2018, 07:08:05 PM #4
Hey Franco - I tried just now (running latest) and I had the exact same experience datiscum had...
Before I copied / soft linked the file, I got an error. After I copied it worked.

Datiscum: Where is this documented? I've been meaning to get a start on it for something similar - pushing IP's to block into a table through the API. Basically moving the results of utilities like log monitoring to block on the edge of the network.

Thanks!!!

m
November 02, 2018, 07:10:56 PM #5
Hi m,

Did you use the correct URL? ".../alias_util/..."

New API firewall bits in docs are not up yet, but should arrive soon... https://docs.opnsense.org/development/api.html?highlight=api#core-api


Cheers,
Franco
November 02, 2018, 11:46:17 PM #6
Ugh - I see the difference now on third look. Thanks :-)
November 03, 2018, 11:32:27 AM #7
Hi m,

I looked at the code on my OPNSense, with "ssh" access to the console.

Looks like it's not on the agenda right now, as I need it.

So far I simply added a function to the file "/usr/local/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php".

public function aliasreloadAction()
    {
        $response = array();
        $stat = stat('/var/db/aliastables/HillscheidIPv4BlockList.txt');
       if (!$stat)
       {
         $response['command'] = 'stat';     
         $response['status'] = 'failed';
       }
       {
         $ctime = $stat['ctime'] - 93600;
         $response['command'] = 'touch';
         if (!touch('/var/db/aliastables/HillscheidIPv4BlockList.md5.txt', $ctime, $ctime))
         {
           $response['status'] = 'failed';
         }
         else
         {
           system('/usr/local/etc/rc.update_urltables_datiscum ', $ret);
           $response['status'] = 'ok';
        }
      }
      return $response;   
    }

About the API URL "https://IP:Port/api/core/firmware/aliasreload"
he reloads my alias. This has been working very well for a few years now.
But with every update the API file has to be updated.

November 03, 2018, 11:43:45 AM #8
It's easier to discuss actual problem descriptions. It looks like you say URL tables are not applied because their TTL hasn't expired yet and you look for a force flush variant?

Files provided by OPNsense will be overwritten for safety reasons, but it's easily possible to build your on API endpoints. That's how plugins are made.


Cheers,
Franco
November 03, 2018, 11:56:45 AM #9
Yes, that's right!
A TTL could always be deposited for an alias.

But to make it work in real time you have to be able to force a reload.
I have my own Syslog which gets the data from several other SyslogServers. These are stored in a DB and can lock out an IP address on the OPNSense within seconds. If the syslog server triggers an alias reload for this.

Wenn die neue API bereit ist, sollte diese Funktion kein Problem darstellen ! oder ?

Thanks
November 03, 2018, 11:58:31 AM #10
Die neue API ist ja schon da, fehlt also nur das Force-Reload :)

But back to English... It's a special use case that should already be covered by the current API but seems not to be. I'll talk to Ad about this next week.


Cheers,
Franco
November 05, 2018, 01:46:54 AM #11
@datiscum: Thanks for the detail - sounds like you are doing exactly what I want to do. I needed something "smarter" and more general than individual sysems like fil2ban and other log watchers which ban locally without context. I wanted to collect that data, filtering for false positives (for example a bad smtp password from a site with lots of recent GOOD logins shouldn't be banned, but logged / warned.

I was looking for a way to insert / delete table entries as I thoguht this might be more efficent than a table alias reload but I imagine if that's possible you will be looking at that too.

@franco: When you hear back about the apparent omission, can you please post back here? It sounds like if that function was present, @datiscum wouldn't have to patch each time.

Do either of you have any thoughts about the most efficent way to accomplish this sort of thing (i.e. editing of tables?) I wouldn't want too frequent reloads to place an undo load on the router.

If you look at http://www.openbsd.org/faq/pf/tables.html there is an example:

Code Select
#pfctl -t spammers -T add 203.0.113.0/24
#pfctl -t spammers -T delete 203.0.113.0/24
#pfctl -t spammers -T show


Is there a preferred way to invoke that sort of thing in OPNsense via API? Or is ssh the only way?

We could periodically update the table file (in case of reloads or fail over) on active / backup carp units, and use the add/delete as a way to modify the live rule set instead of constantly reloading.

My assumption is that reloading the table frequently would have much higher load than just editing the live table?

Is there an API method to do this (or generic API for a command?) or would it be better to ssh to the router, run teh associated pfctl options, write the file, and use the API just for periodic reloads?

Thanks again guys :-)
;D
November 05, 2018, 06:58:58 AM #12
The nginx does this in its permanent ban feature ("Banned") from the logs. You may need a plugin to do this currently.
November 12, 2018, 03:46:13 PM #13
@franco

Did you talk about it -- and what came of it ?
Will the function be available soon?

Thanks,
  Sascha

November 28, 2018, 09:49:50 AM #14
Hi,

I'm trying to add an IP to an alias list through API. So I POST to http://192.168.0.1/api/firewall/alias_util/add/<MY_ALIAS_NAME
with these datas:
address:192.168.0.200

But all I get is an error:
{
    "errorMessage": "[OPNsense\\Firewall\\Alias:aliases.alias.bdb02887-c1c8-4c28-a337-dd833a55e704.content] Entry \"192.168.0.200/32\" is not a valid hostname or IP address.\n",
    "errorTitle": "An API exception occured"
}
Did I do something wrong? Or is the API not ready yet?
Print
Go Up Pages1 2
User actions