Results 1 to 5 of 5
  1. #1
    Newbie
    Join Date
    Sep 2018
    Posts
    2

    Question Activate / Deactivate Firewall Rule through API

    Hi all,

    I use untangle with various policies to ensure that my kids and guests get a specific policy assigned, so I can control the respective clients through a dedicated webfilter and firewall app.

    I am also using a smart-home. What I would like to achieve is to integrate a button in my smart home, that can trigger (activate/deactivate) a firewall rule to block complete internet access rather than having to login into the WebUI and do this manually.

    I have read the untangle-api-doc, but since I am not a programmer, I am kinda lost and would greatly appreciate support on that matter.

    Thanks a lot,
    Thomas

  2. #2
    Untangler
    Join Date
    Jan 2019
    Posts
    38

    Default

    I ask them the same question this week and the answer seems to be no.
    From what I can tell, the only mechanism they have where a policy change is stateful and not packet based is their time/date rule. But I don't see any option for something external.

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,428

    Default

    *Everything I'm about to say is not supported, screw this up and you'll break your box in a way that not only will you not be able to get any help, but those like me won't even bother to try to help you.*

    **** Again, cross this line at your own peril ****

    Untangle has a command line utility that can control some aspects of the platform, this command is ucli

    ucli instances, will return a list of rack applications, what their instance number is, and what rack they are running in. Using that command you can determine what the instance number of the firewall module you're working with is.

    once you have that information, you can look in /usr/share/untangle/settings/firewall for a settings_<instance number>.js file that contains the firewall settings for the instance you're working with. If you change this file, then execute ucli stop <instance number>, followed by ucli start <instance number> you can inject a configuration change.

    However, if you are not a programmer, I'm not sure how you expect to dynamically modify those .js files, if you are a programmer you can do all of this via SCP and SSH. However, again opening this door has risks attached to it that will more than likely get you hacked. At very least, make sure you have a strong WebAdmin password as that password sets the root login for SSH use.

    Further information is in the wiki, Untangle is open source so you can do whatever you want with it. However, you will not find much help in doing so because none of this is "easy", and all of this can break in a future upgrade.
    Kyawa likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Untangler
    Join Date
    Jan 2019
    Posts
    38

    Default

    sky-night,
    that's great info!
    One lightweight version of what you describe, which I just tried is to do the following:
    * Add a policy that overrides the firewall app.
    * Set the policy firewall app to block some type of traffic (or whatever the goal is).
    * Add a rule that's a superset of what is needed by the firewall rule(s) (i.e. apply to all the traffic that the firewall rule(s) is supposed to catch). Don't lock yourself out :-)

    Right now, the policy firewall rules apply.

    Now, go to the command line.
    * "ucli instances" will show the instance number for the policy firewall app
    * "ucli stop xx" (where xx is the instance number above) will stop the policy firewall app, so the blocking is not active anymore.
    * "ucli start xx" will restart the policy firewall app and the blocking is active again.

    So all you need is to ucli start/stop remotely (with ssh), which is not nearly as scary and should do the work in many cases.
    Last edited by LaurentR; 02-02-2019 at 11:26 PM.

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    23,428

    Default

    Ahh yes, that would do. And if you want to remotely manipulate that, I suggest an IP specific SSH pass rule in your access rules, because blanket SSH pass, including on a LAN is VERY dangerous. But once SSH is locked down, plink.exe does wonders from a Windows station.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2