plugins icon indicating copy to clipboard operation
plugins copied to clipboard

Published 20 hours ago verified publisher icon opnsense

net/haproxy map files updates from url like firewall aliases URL tables

Open mnaiman opened this issue 3 years ago • 3 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x ] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [ x] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. Firewall aliases support to be updated from URL eg for geoip, blocking tor etc. Haproxy supports mapfiles, which are used together with rules and conditions to return HTTP 403 when accessed from IPs defined in mapfiles. But Haproxy plugins did not support to update content of these files from URL as Firewall aliases. Proposal is to allow that functionality.

Describe the solution you'd like Add URL or Content (how it is called in firewall rules) field to map files entry and cron job to update content of file based and data downloaded from provided URL like described here (https://docs.opnsense.org/manual/aliases.html#url-tables) For example - list with IPs to block Tor nodes https://check.torproject.org/torbulkexitlist (often to use to hide hacker source ip)

Describe alternatives you've considered If not implemented could be done externally via API https://docs.opnsense.org/development/api/plugins/haproxy.html

mnaiman avatar Aug 26 '22 12:08 mnaiman

Another example is this list https://iwik.org/ipcountry/geoip.txt which can be used to block states via

src,map_ip(/tmp/haproxy/mapfiles/file_id.txt) -m reg -i (US|RU|IN) file_id can be found in backup.xml via export config when map files is created

mnaiman avatar Aug 26 '22 12:08 mnaiman

Have you considered using the OPNsense API to update the mapfiles? There's also a CLI tool available for this: https://github.com/andeman/opn-cli

I think it should be possible to use opn-cli and a cron job to achieve your goal. Granted, it's a bit more work for you, but it would get the job done. On the other hand, I don't plan to add this functionality to the HAProxy plugin. (opn-cli is available on OPNsense as a package: py39-opn-cli-0.8.1)

fraenki avatar Sep 20 '22 08:09 fraenki

Yes, I just wrote Powershell script calling API from Windows machine. It would be better to be run from cron, but cron GUI doesn't offer option to launch script :/

I respect your decision to not implement that feature, but still think it would be beneficial to copy that feature from IP aliases.

mnaiman avatar Sep 20 '22 08:09 mnaiman

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Feb 22 '23 12:02 OPNsense-bot