API Firewall Rule management

Started by ansibleguy, August 28, 2022, 02:18:30 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
August 28, 2022, 02:18:30 PM
Hello (:

I'm currently developing Ansible RedHat modules to manage OPNSense firewalls using their API.
See: https://github.com/ansibleguy/collection_opnsense

As far as I have understood the API documentation - there is currently 'only' a non-core support for managing Firewall-Rules using the API, right?
See: https://docs.opnsense.org/development/api/plugins/firewall.html

But it seems this integration lacks some very important features - as there is no support for aliases. :-\
(please correct me if I'm wrong..)

Does anybody know if there is a more complete API integration on the roadmap?
If so - can you point me to some information/statements?

Thanks
- AnsibleGuy
August 28, 2022, 02:55:48 PM #1
Hi
from what i see in the model
(https://github.com/opnsense/plugins/blob/master/net/firewall/src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml)
aliases IS supported in source and destination fileds
August 28, 2022, 03:59:11 PM #2
Hi.

Seems you are right - thanks for the input.
Ports don't take aliases - but one can add them to the source_net or destination_net fields.

I was confused as the fields have the explicit term 'net' in them.  ???

What is interesting is that you CAN delete aliases that are currently referenced by those 'automation' rules.  :-\
August 28, 2022, 09:01:08 PM #3
Hi
QuoteWhat is interesting is that you CAN delete aliases that are currently referenced by those 'automation' rules.
hm..looks like it is. may be additional check (in Filter model) should be added at
https://github.com/opnsense/core/blob/7601e9cab3badfd78673bee3f486f8cb9f092266/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php#L129
August 29, 2022, 08:54:53 AM #4
If this project sticks to api-only and no XML hacking this sounds very promising
August 29, 2022, 04:24:18 PM #5
Hi.

Quote from: Fright on August 28, 2022, 09:01:08 PM
hm..looks like it is. may be additional check (in Filter model) should be added at
https://github.com/opnsense/core/blob/7601e9cab3badfd78673bee3f486f8cb9f092266/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php#L129

Would make sense - yeah.
For now I'll implement a client-side check for this edge-case.

Thanks for now (:
- AnsibleGuy
August 29, 2022, 06:35:04 PM #6
Hi

Quote from: mimugmail on August 29, 2022, 08:54:53 AM
If this project sticks to api-only and no XML hacking this sounds very promising

That's the plan. ;D
I like the approach of best-practise Ansible - were you 'touch' as little as possible.
The XML-way seems to be the opposite of that..

- have a nice day
AnsibleGuy
August 29, 2022, 08:01:14 PM #7
Interesting, watching on GitHub.
August 30, 2022, 04:24:10 PM #8
Hi.

I found another buggy behaviour of the plugin when creating IPv6 rules:

Code Select
REQUEST: POST | HEADERS: '{'Content-Type': 'application/json'}' | DATA: {'rule': {'enabled': 1, 'sequence': 1, 'action': 'pass','quick': 1, 'interface': 'lan', 'direction': 'in', 'ip_protocol': 'inet6', 'protocol': 'TCP', 'source_not': 0, 'source_net': 'any', 'source_port': '', 'destination_not': 0, 'destination_net': 'any', 'destination_port': '443', 'log': 1, 'description': 'ANSIBLE_TEST_1_10'}}
Code Select
RESPONSE: {'status_code': 200, ... '_content': b'{"result":"saved"...

But the 'TCP/IP Version' of the rule is set to inet/IPv4..  :(
August 30, 2022, 05:22:05 PM #9
hi
Quote'ip_protocol': 'inet6'
"ipprotocol" may be?
August 30, 2022, 11:29:51 PM #10
Hi.

Thanks - I'll try it.

Sorry, I could've sworn the 'searchRule' endpoint also returned it with an underscore.  ???

Maybe it's time to get some sleep  ;D

- AnsibleGuy
September 01, 2022, 11:47:13 AM #11 Last Edit: September 04, 2022, 10:09:25 PM by joinnowuk
I was confused as the fields have the explicit term 'net' in them.  ???  install vidmate get-mobdroapk.com
September 04, 2022, 02:04:25 PM #12
Hi

I'm back with another question  ;D

Currently I'm working to implement the Unbound API as Ansible Module.

API References:

The 'Query Forwarding' is not working as I would expect.

In the XML - there is a 'type' switch between 'dot' and 'forward':
Code Select

<type type="OptionField">
  <Required>Y</Required>
  <default>dot</default>
  <OptionValues>
    <dot>DNS over TLS</dot>
    <forward>Forward</forward>
  </OptionValues>
</type>


This can also be seen in the 'get' response:
Code Select
"type":{"dot":{"value":"DNS over TLS","selected":0},"forward":{"value":"Forward","selected":1}

But I my 'dot' items always get created as 'dot' types.
Example:
Code Select

REQUEST: POST | HEADERS: '{'Content-Type': 'application/json'}' | URL: https://FW/api/unbound/settings/addForward | DATA: {'dot': {'type': 'forward', 'enabled': 1, 'domain': 'tmp.at', 'server': '1.1.1.1', 'port': 53}}
RESPONSE: {'status_code': 200,... '_content': b'{"result":"saved","uuid":"..."}'}


Without the 'dot' key in the payload it fails. When changing that key to a 'forward' - it fails.
Can someone enlighten me on what I'm doing wrong?  :-\

- AnsibleGuy
September 04, 2022, 03:45:54 PM #13 Last Edit: September 04, 2022, 03:53:43 PM by Fright
September 06, 2022, 06:24:43 PM #14
Hi.

First of all - thank you for your help! :)

Hmm.. interesting.

I understand the usage of 'Referer' when using the WEB-UI, but it seems to be a little out-of-place for API-only usage.

However - I tested setting the 'Referer' header manually - but without luck.
Code Select

REQUEST: POST | HEADERS: '{'Referer': 'https://FW/ui/unbound/forward', 'Content-Type': 'application/json'}' | URL: https://FW/api/unbound/settings/addForward | DATA: {'dot': {'type': 'forward', 'enabled': 1, 'domain': 'tmp.at', 'server': '1.1.1.1', 'port': 53}}


The dot-items are still of type 'dot'..  :-\

- AnsibleGuy
Print
Go Up Pages1 2
User actions