No-GUI Configuration/Management?

[balin]

For years I ran a FW based on shorewall et al and was very happy with it's config file based operation, that allowed me to git track everything I was doing as well as include comments why I was doing it into the config files.

Havoing now switched to OpnSense on Deciso hardware, I, in contrast, find the GUI less convenient with respect to tracking changes and documenting them.

How do people handle documentation of configuration changes and tracking them in general?

[Patrick M. Hausen]

Automatic check in of every change into git is one option. The commit message records which logged in user performed the change. See os-git-backup plugin.

Don't push to a public repo, e.g. on github. The repo contains all secrets, keys, etc. in plain text. Private repo, e.g. self-hosted Gitea - perfect, IMHO.

[balin]

Indeed. Local git is what I used to run on the shorewall setup. BUT: is Opnsense even setup for CLI administration? Are all the configuration option spread over a plethora of files?

[Patrick M. Hausen]

No, not at all. The plugin only commits the changes you perform in the UI.

The UI puts the configuration in a central "database" (one giant XML file, actually) and the configd service generates the traditional per-service config files from that.

There is no CLI configuration concept at all. If you change config files directly, they are going to be overwritten at the next reboot the latest or maybe sooner by seemingly unrelated UI actions.

Possibly it is simply not the product for you? The entire concept revolves around UI and/or API, not CLI. Same as TrueNAS, more or less.

If you want CLI and e.g. Ansible, just install stock FreeBSD or Linux 

[balin]

To bad. You got me pegged right. Linux (in fact, salt stack managed QubesOS) is my daily driver. Seem to have to return to bare bones eventually. To bad the integration of hard- and software available in the Deciso products is what attracted me. Is there any FW product like that (open source SW with tailored hardware) that would appeal to more adminy rather than clicky pointy types?

[Patrick M. Hausen]

I bet a stock FreeBSD 13.3 will run great on the Deciso device. Apart from that, sorry, no.

I like my Cisco IOS like the greybeard I am, run ~100 FreeBSD servers with ~1000 customer jails all manged with Ansible, but I am not aware of an integrated firewall product that does that and is open source.

If you like to do some research - I read good things about Linux based IPFire.

Here's a pretty recent overview I found: https://geekflare.com/best-open-source-firewall/

Of course you can always get a Cisco or Juniper device 

[Monviech (Cedrik)]

There's also vyos which is only cli based.

[Patrick M. Hausen]

There's also vyos which is only cli based.

Wasn't that a bit of a dead end development/activity wise?

[Monviech (Cedrik)]

There's also vyos which is only cli based.

Wasn't that a bit of a dead end development/activity wise?

I don't know. I just said that it exists. The website looks too fancy for a dead project. XD

[Patrick M. Hausen]

I don't know. I just said that it exists. The website looks too fancy for a dead project. XD

Ah, yes. Thank you, I stand corrected. Must have confused that with ... now that I think about it ... some closed source vendor used to ship an outdated vyos clone on their proprietary hardware, IIRC. Nevermind.

Might fit the OP's bill.