rosa-luxemburgstiftung-berlin / ansible-opnsense Goto Github PK
View Code? Open in Web Editor NEWAnsible role to configure OPNsense firewalls
Ansible role to configure OPNsense firewalls
'<' not supported between instances of 'AnsibleUnsafeText' and 'int'
caused by #48
example:
changing in a rule the source/any
to source/network: XYZ
results in
<source>
<any>1</any>
+ <network>XYZ</network>
here the any tag must be cleaned
as opnsense has it's own logic of sorting the interfaces in a filter rule, ansible run will re-deploy them and cause a diff, despite beeng the same list but just in a different order.
avoid diff's like
- key: type
value: pass
- key: interface
- value: i1,i2,i3
+ value: i2,i3,i1
- key: ipprotocol
value: inet
- key: statetype
support the new instance configuration for openvpn
the existing openvpn server should be marked as deprecated / legacy implementation.
similar to #42
a enabled alias requires the xml tag
<enabled>1</enabled>
disabling a enabled alias will require setting the tag to 0
for now we have no default for this value; opnsense handles a missing tag as enabled an adds the tag (but only after the first edit)
unbound settings are dead, long live unboundplus ...
#12 related
after adding vlan call handler
/usr/local/opnsense/scripts/interfaces/reconfigure_vlans.php
with linting and a sample xml file updating with VARs for each task including a assertion of the expected result
As discussed on https://github.com/naturalis/ansible-opnsense/issues/38
Can you contact me by email and we discuss further?
You can find my details in the contributor list.
ipsec phase2 tunnels removed from config are not deleted in the xml / on the remote, they require a explicit
opn_unset:
- ipsec/phase2[uniqid="ee0e6..."]
typo type: hosts
leads to a invalid alias, as it should be type: host
update to the newer ansible-lint version
TASK [detect diff between result and expected state for ipsec-testdisable] *****
1941
fatal: [localhost]: FAILED! => {"changed": true, "cmd": ["cmp", "-s", "cfg/ipsec-testdisable.xml", "ipsec-testdisable-expect.xml"], "delta": "0:00:00.003616", "end": "2024-01-28 05:32:50.026281", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2024-01-28 05:32:50.022665", "stderr": "", "stderr_lines": [], "stdout": "", "stdout_lines": []}
If deploying a new rule into a existing config, the order of the rules is not respected as defined in the list.
The new rule will just be the last.
But: order matters here!
bring the ansible syntax up to date by using FQCN notation
a disabled phase1 is marked with
<disabled>1</disabled>
enabled phase1 miss this entry (and have no <enabled>1</enabled>
tag)
i'm currently a bit struggeling with the group tasks. I didn't find a suitable variable construct that add more then one member to the group.
Here's an example
opn_group:
- name: test
member:
settings:
- key: description
value: Testgruppe
- key: gid
value: 2000
- key: member
value: 0
- key: member
value: 2000
- key: member
value: 2001
The groups - add users to groups task will never run, because groups - count member nodes will count all member nodes from all groups.
But even when i remove the member count condition it's not working, because it is looking for item.1.member. But item.1 has only key and value. When i reformat my variable to something like this:
- name: admins
settings:
- member: 0
- member: 2000
- member: 2001
and remove the member count condition it will add the members. But it will add the members every time the playbook runs.
I would rework the tasks to something that works. I think a combination of the json_query filter and set_children instead of add children should do the job.
Are you using the group management? If so, how are your variables?
I am attempting to use tags to update my router partially.
the actual use case I am using is update only dhcp entries.
For some reason fetch is not working, although I can see that there is an always tag. I works only if I explicitly include the "fetch" tag. I am not sure what the reason is, but it could be that the always applies only to the include-tasks, and the tasks inside are all "fetch" only.
Then there is the application and reload, I think they also need the always tag. when: config.changed will not be processed unless the task is selected by tags first, I think.
Partial execution would be a nice to have feature as configuration of the router keeps growing. would provide more agility while building the router configuration.
Hi, we created the original version of the ansible-opnsense repository. We would like to remove this repository, because it is outdated and not maintained by us anymore.
Can you update your readme file, to let users know that the original upstream repository is removed and that your branch is now leading.
Another option may be to transfer ownership of the naturalis/ansible-opnsense repo to you. Please let us know what your suggestions are.
Regards, Rudi
similar to #45
but regarding the content of aliases
for now updating rules is not working as expected
for example restricting src/dest addresses on a existing rule
- - key: source/any
- value: '1'
+ - key: source/address
+ value: MY_ALLOWED_SRC_ALIAS
updating the XML will result in
<source>
<any>1</any>
<address>MY_ALLOWED_SRC_ALIAS</address>
</source>
and opnsense will still interpret this as any
Same happens when switching dest/src from network to address.
So: source and destination child tags must be set in bulk w/ set_children. And this will break the idempotence of the task ....
Hi @zerwes
I have a suspicion that the latest patch on conditional reload of systems depending on configuration change may have broken something related to the firewall.
I have been working on the firewall today, and after uploading new configuration the DNS (unbound) breaks.
An NSLOOKUP comes back with:
;; communications error to 127.0.1.1#53: timed out
And looking at the firewall logs I could see that the flow was blocked due to state. rebooting the firewall fixed it.
I will keep an eye on this. Did you notice similar issues?
at least for the port type, it seems that newer opnsense versions sort the alias entries
Currently the RLS main.yml
tasks just has a split up of the apply handler into 2 steps:
configctl filter sync
for a simpler and non-invasive sync of the filter rulesconfigctl service reload all
for a hard reload of all services (resulting sometimes in interupted network traffic / restet of connections)When creating URL aliases that load Tables, such as:
opn_alias:
# Blacklists
- uuid: 0d561ada-f0e4-11e9-b9f0-00051b40070c
settings:
- key: name
value: spamhouse_drops
- key: type
value: urltable
- key: updatefreq
value: "0.041666666666666664"
- key: content
list:
- https://www.spamhaus.org/drop/drop.txt
- https://www.spamhaus.org/drop/edrop.txt
- key: description
value: Spamhouse Drop and EDrop blacklists
The alias will be created but it wont be loaded up. This type of rule needs to be "applied" from the web ui for tables to be instantiated, for some reason.
since some release opnsense uses natural sorting for
<rule>
</interface>a,b,c</interface>
</rule>
Hi!
I need to upgrade my firewall... but again, up to which version?
Would be nice to have the latest version of OPNSense this version is compatible with somwhere:
Perhaps in the Readme.md?
Perhaps in Release/Change logs?
What is the last tested opnsense version compatible with this playbook?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.