Skip to content

Instantly share code, notes, and snippets.

@PiDroid-B
Last active February 8, 2024 10:21
  • Star 4 You must be signed in to star a gist
  • Fork 4 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save PiDroid-B/078198bc84c1e8451d5fd331b46b332d to your computer and use it in GitHub Desktop.
OPNsense Custom script and Cron (example : an Alias Table URL with high frequency refresh)

OPNsense Custom script and Cron

Introduction

Solution to high frequency refresh of an Alias (table ip) from an URL.

I have a service which provide my own blacklist of ip.
I want to grab the blacklist of ip each minute and automatically drop all connection from it under OPNsense.
I have already spamhaus installed (with their alias).

To solve it, I need :

  • an alias to make firewall rules
  • a script to download my blacklist
  • a new cron command available under OPNsense GUI
  • a cron job

an alias to make firewall rules

Go to Firewall > Aliases and add an Alias

Enabled : checked
Name : MyOwnBlacklist
Type : External (advanced)
Description : Grab from my centralized service about blacklist ip

a script to download my blacklist

Create script in /usr/home/ (or where you want) : vi /usr/home/blacklist-update.sh
Add the content of the according file below (don't forget to change variables)
Set permissions chmod 700 blacklist-update.sh

a new cron command available under OPNsense GUI

Create a .conf file in /usr/local/opnsense/service/conf/actions.d/ (your file must start with "actions_")
vi /usr/local/opnsense/service/conf/actions.d/actions_blacklist-update.conf
Add the content of the according file below Restart and reload :

configctl reload : action must be the filename without the prefix "actions_"

service configd restart
configctl blacklist-update reload

a cron job

Go to System > Settings > Cron and add a Job
You can show your cron command in dropdown Command
Plan your cron as like as you want...

[reload]
command:/usr/local/bin/flock -n -E 0 -o /tmp/filter_update_tables_blk.lock /usr/home/blacklist-update.sh
parameter:
type:script_output
message:IP Blacklist Update
description:Centralized Blacklist IP Update from my own service
#!/bin/sh
# temporary filename
TMPFILE=/tmp/centralizedblacklistip.tmp
# url to grab
TARGET="https://myhost:myport/"
# tablename = alias URL table under Opnsense
TABLENAME="MyOwnBlacklist"
# show execution
#set -x
# Get the text file
wget -O "${TMPFILE}" "${TARGET}"
# Update table from temp file
RESULT=`/sbin/pfctl -t ${TABLENAME} -T replace -f ${TMPFILE} 2>&1`
echo "$RESULT" | awk '{ print "$TABLENAME : " $0 }' | logger
@skull-squadron
Copy link

Thanks for this. I had to drop in a DDNS update since neither DDNS plugin works. They should just have a way to add a one-liner and/or a script from the interface that can be captured in the config.xml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment