diff --git a/harmony-rs/Cargo.lock b/harmony-rs/Cargo.lock index db0ca21..6fc9ac4 100644 --- a/harmony-rs/Cargo.lock +++ b/harmony-rs/Cargo.lock @@ -1240,8 +1240,10 @@ name = "opnsense-config" version = "0.1.0" dependencies = [ "async-trait", + "log", "russh", "russh-keys", + "serde", "thiserror", "tokio", "xml-rs", @@ -2594,8 +2596,7 @@ dependencies = [ [[package]] name = "yaserde" version = "0.11.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8198a8ee4113411b7be1086e10b654f83653c01e4bd176fb98fe9d11951af5e" +source = "git+https://git.nationtech.io/NationTech/yaserde#353558737f3ef73e93164c596ff920d4344f30a3" dependencies = [ "log", "xml-rs", @@ -2604,8 +2605,7 @@ dependencies = [ [[package]] name = "yaserde_derive" version = "0.11.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "82eaa312529cc56b0df120253c804a8c8d593d2b5fe8deb5402714f485f62d79" +source = "git+https://git.nationtech.io/NationTech/yaserde#353558737f3ef73e93164c596ff920d4344f30a3" dependencies = [ "heck", "log", diff --git a/harmony-rs/opnsense-config/Cargo.toml b/harmony-rs/opnsense-config/Cargo.toml index 8499311..d79b74e 100644 --- a/harmony-rs/opnsense-config/Cargo.toml +++ b/harmony-rs/opnsense-config/Cargo.toml @@ -4,10 +4,12 @@ version = "0.1.0" edition = "2021" [dependencies] +serde = { version = "1.0.123", features = [ "derive" ] } +log = { workspace = true } russh = { workspace = true } russh-keys = { workspace = true } -yaserde = "0.11.1" -yaserde_derive = "0.11.1" +yaserde = { git = "https://git.nationtech.io/NationTech/yaserde" } +yaserde_derive = { git = "https://git.nationtech.io/NationTech/yaserde" } xml-rs = "0.8" thiserror = "1.0" async-trait = { workspace = true } diff --git a/harmony-rs/opnsense-config/src/config.rs b/harmony-rs/opnsense-config/src/config.rs index 205b7d3..41f2ee3 100644 --- a/harmony-rs/opnsense-config/src/config.rs +++ b/harmony-rs/opnsense-config/src/config.rs @@ -1,16 +1,19 @@ use crate::error::Error; use crate::modules::opnsense::OPNsense; use async_trait::async_trait; +use log::info; use russh::client::{Config as SshConfig, Handler}; use russh_keys::key; -use std::{fmt::Write as _, sync::Arc}; -use tokio::io::AsyncWriteExt; +use std::{fs, net::Ipv4Addr, path::Path, sync::Arc}; + +#[async_trait] +pub trait ConfigRepository: std::fmt::Debug { + async fn load(&self) -> Result; + async fn save(&self, content: &str) -> Result<(), Error>; +} struct Client {} -// More SSH event handlers -// can be defined in this trait -// In this example, we're only using Channel, so these aren't needed. #[async_trait] impl Handler for Client { type Error = Error; @@ -23,55 +26,131 @@ impl Handler for Client { } } -pub struct Config { - opnsense: OPNsense, +#[derive(Debug)] +pub struct SshConfigRepository { ssh_config: Arc, - host: String, username: String, key: Arc, + host: (Ipv4Addr, u16), } -impl Config { - pub async fn new(host: &str, username: &str, key_path: &str) -> Result { - let key = russh_keys::load_secret_key(key_path, None).expect("Secret key failed loading"); - let key = Arc::new(key); - let config = SshConfig::default(); - let config = Arc::new(config); +impl SshConfigRepository { + pub fn new( + host: (Ipv4Addr, u16), + username: String, + key: Arc, + ssh_config: Arc, + ) -> Self { + Self { + ssh_config, + username, + key, + host, + } + } +} - let mut ssh = russh::client::connect(config.clone(), host, Client {}).await?; - ssh.authenticate_publickey(username, key.clone()).await?; +#[async_trait] +impl ConfigRepository for SshConfigRepository { + async fn load(&self) -> Result { + let mut ssh = russh::client::connect(self.ssh_config.clone(), self.host, Client {}).await?; + ssh.authenticate_publickey(&self.username, self.key.clone()) + .await?; let mut channel = ssh.channel_open_session().await?; channel.exec(true, "cat /conf/config.xml").await?; - let mut code; - let mut output = String::new(); + let mut output: Vec = vec![]; + loop { + let Some(msg) = channel.wait().await else { + break; + }; + + info!("got msg {:?}", msg); + match msg { + russh::ChannelMsg::Data { ref data } => { + output.append(&mut data.to_vec()); + } + russh::ChannelMsg::ExitStatus { .. } => {} + russh::ChannelMsg::WindowAdjusted { .. } => {} + russh::ChannelMsg::Success { .. } => {} + russh::ChannelMsg::Eof { .. } => {} + _ => todo!(), + } + } + Ok(String::from_utf8(output).expect("Valid utf-8 bytes")) + } + + async fn save(&self, content: &str) -> Result<(), Error> { + let mut ssh = russh::client::connect(self.ssh_config.clone(), self.host, Client {}).await?; + ssh.authenticate_publickey(&self.username, self.key.clone()) + .await?; + + let mut channel = ssh.channel_open_session().await?; + + let command = format!( + "echo '{}' > /conf/config.xml", + content.replace("'", "'\"'\"'") + ); + channel.exec(true, command.as_bytes()).await?; + loop { let Some(msg) = channel.wait().await else { break; }; match msg { - russh::ChannelMsg::Data { ref data } => { - write!(&mut output, "{:?}", data); - println!("Got data {output}"); - } russh::ChannelMsg::ExitStatus { exit_status } => { - code = Some(exit_status); + if exit_status != 0 { + return Err(Error::Ssh(russh::Error::Disconnect)); + } } - _ => todo!(), + _ => {} } } - let xml = output; + + Ok(()) + } +} + +#[derive(Debug)] +pub struct LocalFileConfigRepository { + file_path: String, +} + +impl LocalFileConfigRepository { + pub fn new(file_path: String) -> Self { + Self { file_path } + } +} + +#[async_trait] +impl ConfigRepository for LocalFileConfigRepository { + async fn load(&self) -> Result { + Ok(fs::read_to_string(&self.file_path)?) + } + + async fn save(&self, content: &str) -> Result<(), Error> { + Ok(fs::write(&self.file_path, content)?) + } +} + +#[derive(Debug)] +pub struct Config { + opnsense: OPNsense, + repository: Box, +} + +impl Config { + pub async fn new(repository: Box) -> Result { + let xml = repository.load().await?; + info!("xml {}", xml); let opnsense = yaserde::de::from_str(&xml).map_err(|e| Error::Xml(e.to_string()))?; Ok(Self { opnsense, - ssh_config: config, - host: host.to_string(), - username: username.to_string(), - key, + repository, }) } @@ -85,15 +164,28 @@ impl Config { pub async fn save(&self) -> Result<(), Error> { let xml = yaserde::ser::to_string(&self.opnsense).map_err(|e| Error::Xml(e.to_string()))?; - - let mut ssh = - russh::client::connect(self.ssh_config.clone(), &self.host, Client {}).await?; - ssh.authenticate_publickey(&self.username, self.key.clone()).await?; - todo!("Writing config file to remote host {xml}"); - - // ssh.exec(true, &format!("echo '{}' > /conf/config.xml", xml)) - // .await?; - - // Ok(()) + self.repository.save(&xml).await + } +} + +#[cfg(test)] +mod tests { + use super::*; + use std::path::PathBuf; + + #[tokio::test] + async fn test_load_config_from_local_file() { + let mut test_file_path = PathBuf::from(env!("CARGO_MANIFEST_DIR")); + test_file_path.push("src/tests/data/config-full-1.xml"); + + let config_file_path = test_file_path.to_str().unwrap().to_string(); + println!("File path {config_file_path}"); + let repository = Box::new(LocalFileConfigRepository::new(config_file_path)); + let config = Config::new(repository) + .await + .expect("Failed to load config"); + + println!("Config {:?}", config); + assert!(false); } } diff --git a/harmony-rs/opnsense-config/src/tests/data/config-full-1.xml b/harmony-rs/opnsense-config/src/tests/data/config-full-1.xml new file mode 100644 index 0000000..1feaa2e --- /dev/null +++ b/harmony-rs/opnsense-config/src/tests/data/config-full-1.xml @@ -0,0 +1,2778 @@ + + + opnsense + + + Increase UFS read-ahead speeds to match the state of hard drives and NCQ. + vfs.read_max + default + + + Set the ephemeral port range to be lower. + net.inet.ip.portrange.first + default + + + Drop packets to closed TCP ports without returning a RST + net.inet.tcp.blackhole + default + + + Do not send ICMP port unreachable messages for closed UDP ports + net.inet.udp.blackhole + default + + + Randomize the ID field in IP packets + net.inet.ip.random_id + default + + + + Source routing is another way for an attacker to try to reach non-routable addresses behind your box. + It can also be used to probe for information about your internal networks. These functions come enabled + as part of the standard FreeBSD core system. + + net.inet.ip.sourceroute + default + + + + Source routing is another way for an attacker to try to reach non-routable addresses behind your box. + It can also be used to probe for information about your internal networks. These functions come enabled + as part of the standard FreeBSD core system. + + net.inet.ip.accept_sourceroute + default + + + + This option turns off the logging of redirect packets because there is no limit and this could fill + up your logs consuming your whole hard drive. + + net.inet.icmp.log_redirect + default + + + Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway) + net.inet.tcp.drop_synfin + default + + + Enable sending IPv6 redirects + net.inet6.ip6.redirect + default + + + Enable privacy settings for IPv6 (RFC 4941) + net.inet6.ip6.use_tempaddr + default + + + Prefer privacy addresses and use them over the normal addresses + net.inet6.ip6.prefer_tempaddr + default + + + Generate SYN cookies for outbound SYN-ACK packets + net.inet.tcp.syncookies + default + + + Maximum incoming/outgoing TCP datagram size (receive) + net.inet.tcp.recvspace + default + + + Maximum incoming/outgoing TCP datagram size (send) + net.inet.tcp.sendspace + default + + + Do not delay ACK to try and piggyback it onto a data packet + net.inet.tcp.delayed_ack + default + + + Maximum outgoing UDP datagram size + net.inet.udp.maxdgram + default + + + Handling of non-IP packets which are not passed to pfil (see if_bridge(4)) + net.link.bridge.pfil_onlyip + default + + + Set to 1 to additionally filter on the physical interface for locally destined packets + net.link.bridge.pfil_local_phys + default + + + Set to 0 to disable filtering on the incoming and outgoing member interfaces. + net.link.bridge.pfil_member + default + + + Set to 1 to enable filtering on the bridge interface + net.link.bridge.pfil_bridge + default + + + Allow unprivileged access to tap(4) device nodes + net.link.tap.user_open + default + + + Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid()) + kern.randompid + default + + + Maximum size of the IP input queue + net.inet.ip.intr_queue_maxlen + default + + + Disable CTRL+ALT+Delete reboot from keyboard. + hw.syscons.kbd_reboot + default + + + Hint at default settings for serial console in case the autodetect is not working + hw.uart.console + default + + + Enable TCP extended debugging + net.inet.tcp.log_debug + default + + + Set ICMP Limits + net.inet.icmp.icmplim + default + + + TCP Offload Engine + net.inet.tcp.tso + default + + + UDP Checksums + net.inet.udp.checksum + default + + + Maximum socket buffer size + kern.ipc.maxsockbuf + default + + + Page Table Isolation (Meltdown mitigation, requires reboot.) + vm.pmap.pti + default + + + Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation) + hw.ibrs_disable + default + + + Hide processes running as other groups + security.bsd.see_other_gids + default + + + Hide processes running as other users + security.bsd.see_other_uids + default + + + Enable/disable sending of ICMP redirects in response to IP packets for which a better, + and for the sender directly reachable, route and next hop is known. + + net.inet.ip.redirect + 0 + + + + Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects + to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect + packets without returning a response. + + net.inet.icmp.drop_redirect + 1 + + + Maximum outgoing UDP datagram size + net.local.dgram.maxdgram + default + + + + + + 115200 + serial + video + normal + OPN1 + somedomain.yourlocal.mcd + + admins + System Administrators + system + 1999 + 0 + 2000 + page-all + + + root + System Administrator + system + admins + $2y$10$5555555555o8dj21980j1doiOIJDIOASJOID!jidjeue19812y + 0 + + + + + + + $2y$11$55555555556D8198uOASIDJaiojdjd1oijdijosaoijdaoidOIASJDoijdoiadOASdoiK + user + someuser + + + + + + /bin/sh + 2000 + + 2001 + 2000 + Etc/UTC + 0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org + + https + 6155aba4c9375 + + + + + + 1 + 1 + 1 + 1 + 1 + 1 + 1 + hadp + hadp + hadp + + monthly + + aesni + 1 + 1 + 1 + + admins + 1 + + + + + + enabled + 1 + + 1 + + + + + os-ddclient,os-dyndns,os-haproxy,os-wireguard + + + + 1 + admins + yes + basic + + + + + en_US + + none + none + none + none + none + none + none + none + 1 + + + + + pppoe0 + WAN + 1 + 1 + + 1 + 1 + pppoe + + + em1 + LAN + 1 + + 192.168.20.1 + 24 + track6 + + 0 + + + 1 + Loopback + 1 + lo0 + 127.0.0.1 + ::1 + 8 + 128 + none + 1 + + + em5 + backup_sync + 1 + 1 + + 10.10.5.1 + 24 + + + 1 + WireGuard (Group) + wireguard + 1 + 1 + group + + + + 1 + 1 + openvpn + OpenVPN + group + 1 + + + + + + 1 + 192.168.20.1 + somedomain.yourlocal.mcd + hmac-md5 + + + + + 192.168.20.50 + 192.168.20.200 + + + 192.168.20.1 + + + 55:55:55:55:55:1c + 192.168.20.160 + somehost983 + someservire8 + + + + + + 55:55:55:55:55:1c + 192.168.20.155 + somehost893 + + + + + + 55:55:55:55:55:1c + 192.168.20.52 + somehost545 + + + + + + 55:55:55:55:55:1c + 192.168.20.51 + sw1 + someswitch2 + + + + + + 55:55:55:55:55:1c + 192.168.20.50 + hostswitch2 + switch-2 (bottom) + + + + + + + + + + + public + + + + 3 + + + + automatic + + + tcp + wan + + inet + + + + + nat_618812d37b8193.31302503 + host_3 + 22 + + 1 + + + wanip + 55555 + + + root@192.168.1.118 + + /firewall_nat_edit.php made changes + + + root@192.168.1.118 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_64fa19f4acba11.80049900 + 192.168.20.150 + 7860 + + 1 + + + wanip + 7860 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_64fb1fbba71e29.76190279 + 192.168.20.150 + 7861 + + 1 + + + wanip + 7861 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_64fb1fcea6d8b7.62653343 + 192.168.20.150 + 7862 + + 1 + + + wanip + 7862 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_64fb1fdb48ff18.28912920 + 192.168.20.150 + 7863 + + 1 + + + wanip + 7863 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_65aed5a66c4f65.25454286 + 192.168.20.140 + 8081 + + 1 + + + wanip + 10100 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_65aed67d497580.58958916 + 192.168.20.160 + 8080 + + 1 + + + wanip + 10101 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_65aed6961c4ea7.81903986 + 192.168.20.160 + 4000 + + 1 + + + wanip + 10110 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_65f4a5b928c9a7.52477383 + 192.168.20.115 + 5000 + + 1 + + + wanip + 10111 + + + root@192.168.20.147 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + Redirecting to someservice1 on somehost9 + + + + nat_662bb59baf7573.98640354 + 192.168.20.115 + 11434 + + 1 + + + wanip + 11000 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + port forwarding for virtual ip for someservice2 servers + + + + pass + someservice2_vip + 55555 + + 1 + + + wanip + 55555 + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + port forwarding for virtual ip for someservice2 servers + + + + nat_670979b3279551.73601303 + 1 + 192.168.20.1 + 55555 + + 1 + + + wanip + 55555 + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + port forwarding for reconfig of someservice2 somehost3 + + + + nat_6709763b6a6748.85579760 + 1 + 192.168.20.132 + 55555 + + 1 + + + wanip + 5533 + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + Redirecting to someservice81 on somehost9 + + + + nat_663c3458b7b5e4.19986620 + 192.168.20.115 + 27017 + + 1 + + + wanip + 27057 + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + Redirecting to someservice858 on somehost545 + + + + nat_663d85b2e3b364.53108170 + 192.168.20.163 + 8888 + + 1 + + + wanip + 8888 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + Redirecting to someservice858 on somehost545 + + + + nat_667cd97504d870.57128970 + 192.168.20.163 + 8889 + + 1 + + + wanip + 9888 + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + Redirecting to someservice858 on somehost9 + + + + nat_666c8932142ed6.34062700 + 192.168.20.115 + 8888 + + 1 + + + wanip + 8889 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + tcp + wan + + inet + + + + + nat_651ffc35e573d9.09092618 + 192.168.20.140 + 22 + + 1 + + + wanip + 30140 + + + root@172.12.0.11 + + /firewall_nat_edit.php made changes + + + root@172.12.0.11 + + /firewall_nat_edit.php made changes + + + + + + pass + wan + inet + keep state + allow public connections to vpn + in + wireguard + 1 + udp + + 1 + + + wanip + 51820 + + + root@192.168.1.118 + + /firewall_rules_edit.php made changes + + + root@192.168.1.118 + + /firewall_rules_edit.php made changes + + + + pass + wan + inet + keep state + in + 1 + icmp + echoreq + + 1 + + + wanip + + + root@192.168.1.136 + + /firewall_rules_edit.php made changes + + + root@192.168.1.118 + + /firewall_rules_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
x3690_3
+ 22 + + + + nat_618812d37b8193.31302503 + + root@192.168.1.118 + + /firewall_nat_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
192.168.20.150
+ 7860 + + + + nat_64fa19f4acba11.80049900 + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
192.168.20.150
+ 7861 + + + + nat_64fb1fbba71e29.76190279 + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
192.168.20.150
+ 7862 + + + + nat_64fb1fcea6d8b7.62653343 + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
192.168.20.150
+ 7863 + + + + nat_64fb1fdb48ff18.28912920 + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + + 1 + + wan + keep state + tcp + inet + +
192.168.20.140
+ 22 + + + + nat_651ffc35e573d9.09092618 + + root@172.12.0.11 + + /firewall_nat_edit.php made changes + + + + nat_65aed5a66c4f65.25454286 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.140
+ 8081 + + + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_65aed67d497580.58958916 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.160
+ 8080 + + + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_65aed6961c4ea7.81903986 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.160
+ 4000 + + + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_65f4a5b928c9a7.52477383 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.115
+ 5000 + + + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_662bb59baf7573.98640354 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.115
+ 11434 + + Redirecting to someservice1 on somehost9 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_663c3458b7b5e4.19986620 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.115
+ 27017 + + Redirecting to someservice81 on somehost9 + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + + nat_663d85b2e3b364.53108170 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.163
+ 8888 + + Redirecting to someservice858 on somehost545 + + + root@172.12.0.10 + + /firewall_nat_edit.php made changes + + + + nat_666c8932142ed6.34062700 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.115
+ 8888 + + Redirecting to someservice858 on somehost9 + + + root@192.168.20.100 + + /firewall_nat_edit.php made changes + + + + nat_667cd97504d870.57128970 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.163
+ 8889 + + Redirecting to someservice858 on somehost545 + + + root@172.12.0.8 + + /firewall_nat_edit.php made changes + + + + pass + wan + inet + keep state + open virtual ip address for someservice2 + in + 1 + tcp + + 1 + + +
192.168.20.225
+ 55555 + + + root@172.12.0.12 + + /firewall_rules_edit.php made changes + + + root@172.12.0.12 + + /firewall_rules_edit.php made changes + + + + pass + inet + Default allow LAN to any rule + lan + + lan + + + + + + + pass + inet6 + Default allow LAN IPv6 to any rule + lan + + lan + + + + + + + pass + lan + inet + keep state + in + 1 + carp + + 1 + + + 1 + + + root@192.168.20.100 + + /firewall_rules_edit.php made changes + + + root@192.168.20.100 + + /firewall_rules_edit.php made changes + + + + pass + wireguard + inet + keep state + in + 1 + + 1 + + + 1 + + + root@192.168.20.100 + + /firewall_rules_edit.php made changes + + + root@192.168.1.136 + + /firewall_rules_edit.php made changes + + + + nat_6709763b6a6748.85579760 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.132
+ 55555 + + port forwarding for reconfig of someservice2 somehost3 + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + 1 + + + nat_670979b3279551.73601303 + + 1 + + wan + keep state + tcp + inet + +
192.168.20.1
+ 55555 + + port forwarding for virtual ip for someservice2 servers + + + root@172.12.0.12 + + /firewall_nat_edit.php made changes + + 1 + + + + + ICMP + icmp + ICMP + + + + TCP + tcp + Generic TCP + + + + HTTP + http + Generic HTTP + + / + + 200 + + + + HTTPS + https + Generic HTTPS + + / + + 200 + + + + SMTP + send + Generic SMTP + + + 220 * + + + + + 0.opnsense.pool.ntp.org + + + system_information-container:00000000-col3:show,traffic_graphs-container:00000001-col3:show,thermal_sensors-container:00000002-col3:show,log-container:00000003-col3:show,services_status-container:00000004-col4:show,gateways-container:00000005-col4:show,interface_list-container:00000006-col4:show,carp_status-container:00000007-col4:show,wireguard-container:00000008-col4:show,dyn_dns_status-container:00000009-col4:show,system_log-container:00000010-col4:show + 2 + + + root@172.12.0.12 + + /firewall_nat.php made changes + + + + + + + + + + + + + + v9 + + + + 0 + + 1800 + 15 + + + + + + + + + wireguard + 1 + + + + + + + + + + + 1 + x3690_3 + host + + + 0 + + 192.168.1.136 + + + + + 1 + someservice2_vip + host + + + 0 + + 192.168.20.225 + + alias for someservice2 vip + + + + + + + + + + + + 0 + 0 + 0 + wan + 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12 + + + W0D23 + 4 + ac + + medium + + + + 0 + 0 + 0 + + + + + + + + + + + + + + + + + 0 + 120 + 120 + 127.0.0.1 + 25 + + + 0 + auto + 1 + syslog facility log_daemon + + + + 0 + root + oiujds9889DSIJSDIJSDIjdj + 2812 + + + 5 + 1 + + + 0 + root@localhost.local + 0 + + + 10 + + + + 1 + $HOST + + system + + + + 300 + 30 +
+ + + + da6083fd-852c-44af-9ae7-8c9de443bbc9,4f18b847-c2ab-4707-9686-bf656e187ab8,62ea6632-3554-43be-bb0b-ceceab685338,f543f50a-4e52-4afd-85ce-95fe6d61dc54 + + + + + 1 + RootFs + + filesystem + + + / + 300 + 30 +
+ + + + 58896875-13d3-41ad-bed5-d610e0197d37 + + + + + 0 + carp_status_change + + custom + + + /usr/local/opnsense/scripts/OPNsense/Monit/carp_status + 300 + 30 +
+ + + + 78d20574-60b0-4e63-b6d2-0248e7570293 + + + + + 0 + gateway_alert + + custom + + + /usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert + 300 + 30 +
+ + + + 572a5691-1ea7-4191-be24-d7399845a75b + + + + + Ping + NetworkPing + failed ping + alert + + + + NetworkLink + NetworkInterface + failed link + alert + + + + NetworkSaturation + NetworkInterface + saturation is greater than 75% + alert + + + + MemoryUsage + SystemResource + memory usage is greater than 75% + alert + + + + CPUUsage + SystemResource + cpu usage is greater than 75% + alert + + + + LoadAvg1 + SystemResource + loadavg (1min) is greater than 4 + alert + + + + LoadAvg5 + SystemResource + loadavg (5min) is greater than 3 + alert + + + + LoadAvg15 + SystemResource + loadavg (15min) is greater than 2 + alert + + + + SpaceUsage + SpaceUsage + space usage is greater than 75% + alert + + + + ChangedStatus + ProgramStatus + changed status + alert + + + + NonZeroStatus + ProgramStatus + status != 0 + alert + + + + + + + + + 0 + opnsense + + + + 1 + 1 + + + + + + 0 + on + strip + 1 + 1 + 0 + + admin@localhost.local + + + + 0 + /var/squid/cache + 256 + + + always + 100 + 16 + 256 + 0 + 0 + + + + 0 + 2048 + 1024 + 1024 + 256 + + + 0 + + 0 + username + password + + + + + + + lan + 3128 + 3129 + 0 + 0 + + + 4 + 5 + 0 + 3401 + public + + 2121 + 0 + 1 + 0 + + + + + + + + + + + 80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http + 443:https + + + + + + + 0 + icap://[::1]:1344/avscan + icap://[::1]:1344/avscan + 1 + 0 + 0 + X-Username + 1 + 1024 + 60 + + + + + + OPNsense proxy authentication + 2 + 5 + + + + +