Firewall

The firewall API plugin is a first step into migrating the legacy firewall components from OPNsense, although it does contain a user interface, it’s main focus is only to provide machine to machine interaction between custom applications and OPNsense for selected features.

Abstract [non-callable] (FilterBaseController.php)

Method

Module

Controller

Command

Parameters

POST

firewall

filter_base

apply

$rollback_revision=null

POST

firewall

filter_base

cancelRollback

$rollback_revision

POST

firewall

filter_base

revert

$revision

POST

firewall

filter_base

savepoint

<<uses>>

model Filter.xml

Resources (FilterController.php) – extends : FilterBaseController

Method

Module

Controller

Command

Parameters

POST

firewall

filter

addRule

POST

firewall

filter

delRule

$uuid

GET

firewall

filter

getRule

$uuid=null

*

firewall

filter

searchRule

POST

firewall

filter

setRule

$uuid

POST

firewall

filter

toggleRule

$uuid,$enabled=null

Resources (SourceNatController.php) – extends : FilterBaseController

Method

Module

Controller

Command

Parameters

POST

firewall

source_nat

addRule

POST

firewall

source_nat

delRule

$uuid

GET

firewall

source_nat

getRule

$uuid=null

*

firewall

source_nat

searchRule

POST

firewall

source_nat

setRule

$uuid

POST

firewall

source_nat

toggleRule

$uuid,$enabled=null

Concept

The firewall plugin injects rules in the standard OPNsense firewall while maintaining visibility on them in the standard user interface.

We use our standard ApiMutableModelControllerBase to allow crud operations on rule entries and offer a set of specific actions to apply the new configuration. Since firewall rules can be quite sensitive with a higher risk of lockout, we also support a rollback mechanism here, which offers the ability to rollback this components changes.

The diagram above contains the basic steps to change rules, apply and eventually rollback if not being able to access the machine again. When calling savepoint() a new config revision will be created and the timestamp will be returned for later use. If the cancelRollback(savepoint) is not called within 60 seconds, the firewall will rollback to the previous state identified by the savepoint timestamp (if available).

Note

The examples in this document disable certificate validation, make sure when using this in a production environment to remove the verify=False from the requests calls

Tip

The number of versions kept can be configured as “backup count” in System -> Configuration -> History. This affectively determines within how many configuration changes you can still rollback, if the backup is removed, a rollback will keep the current state (do nothing).

Administration example

Administrative endpoints are pretty standard use of ApiMutableModelControllerBase, the example below searches for a rule named “OPNsense_fw_api_testrule_1”, when not found one will be added otherwise it will print the internal uuid. Inline you will find a brief description of the steps performed.

administrative_example.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python3.7
import requests
import json

# key + secret from downloaded apikey.txt
api_key="3RhWOno+HwvtmT406I6zw8of8J6n9FOKlWK6U0B+K7stt/fDaJg7bjeF3QAshlScYqC+3o5THy3vQViW"
api_secret="uaBk27NKhQCZSDpfAlG6YJ473MzvsCNiED6kzbYuykzU05fCRkcJADhDm5nxbZt8yREC74ZpvD/vbcEx"

# define the basics, hostname to use and description used to identify our test rule
rule_description='OPNsense_fw_api_testrule_1'
remote_uri="https://192.168.1.1"

# search for rule
r = requests.get(
    "%s/api/firewall/filter/searchRule?current=1&rowCount=7&searchPhrase=%s" % (
        remote_uri, rule_description
    ),
    auth=(api_key, api_secret), verify=False
)

if r.status_code == 200:
    response = json.loads(r.text)
    if len(response['rows']) == 0:
        # create a new rule, identified by rule_description allowing traffic from
        # 192.168.0.0/24 to 10.0.0.0/24 using TCP protocol
        data = {"rule" :
                    {
                    "description": rule_description,
                    "source_net": "192.168.0.0/24",
                    "protocol": "TCP",
                    "destination_net": "10.0.0.0/24"
                    }
                }
        r = requests.post(
            "%s/api/firewall/filter/addRule" % remote_uri, auth=(api_key, api_secret), verify=False, json=data
        )
        if r.status_code == 200:
            print("created : %s" % json.loads(r.text)['uuid'])
        else:
            print("error : %s" % r.text)

    else:
        for row in response['rows']:
            print ("found uuid %s" % row['uuid'])

Tip

Since our model contains default values for most attributes, we only need to feed the changes if we would like to keep the defaults. In this case the TCP/IP version was IPv4 by default for example. In most cases one would like to set all relevant properties in case defaults change over time.

Apply / revert example

This example will disable the rule created in the previous example and apply the changes using a savepoint, since we’re not calling cancelRollback(savepoint) it will revert after 60 seconds to the original state.

savepoint_example.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python3.7
import requests
import json

# key + secret from downloaded apikey.txt
api_key="3RhWOno+HwvtmT406I6zw8of8J6n9FOKlWK6U0B+K7stt/fDaJg7bjeF3QAshlScYqC+3o5THy3vQViW"
api_secret="uaBk27NKhQCZSDpfAlG6YJ473MzvsCNiED6kzbYuykzU05fCRkcJADhDm5nxbZt8yREC74ZpvD/vbcEx"

# define the basics, hostname to use and description used to identify our test rule
rule_description='OPNsense_fw_api_testrule_1'
remote_uri="https://192.168.1.1"

# search for rule
r = requests.get(
    "%s/api/firewall/filter/searchRule?current=1&rowCount=7&searchPhrase=%s" % (
        remote_uri, rule_description
    ),
    auth=(api_key, api_secret), verify=False
)

if r.status_code == 200:
    response = json.loads(r.text)
    if len(response['rows']) > 0:
        rule_uuid = response['rows'][0]['uuid']
        r = requests.post("%s/api/firewall/filter/savepoint" % remote_uri, auth=(api_key, api_secret), verify=False)
        if r.status_code == 200:
            sp_response = json.loads(r.text)
            # disable rule
            r = requests.post("%s/api/firewall/filter/toggleRule/%s/0" % (remote_uri, rule_uuid),
                              auth=(api_key, api_secret), verify=False
            )
            # apply changes, revert to sp_response['revision'] after 60 seconds
            r = requests.post("%s/api/firewall/filter/apply/%s" % (remote_uri, sp_response['revision']),
                              auth=(api_key, api_secret), verify=False
            )
            print("revert to revision %s in 60 seconds (%s changed)" % (sp_response['revision'], rule_uuid))
    else:
        print("rule %s not found" % rule_description)

Note

The savepoint will only revert this components changes, other changes won’t be affected by this revert, for example add an additional interface between savepoint and revert won’t be affected.