Created
October 21, 2024 18:17
-
-
Save nhubbard/34fa5dc0b38ca581c6d3817ea03f2dd4 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Set your OPNsense API credentials | |
| $APIKey = "API_KEY" | |
| $APISecret = "API_SECRET" | |
| $OPNsenseIP = "192.168.100.1" | |
| # Base URI for OPNsense API | |
| $BaseUri = "https://$OPNsenseIP/api" | |
| # Function to send API requests | |
| function Send-ApiRequest { | |
| param ( | |
| [string]$Uri, | |
| [string]$Method, | |
| [object]$Body = $null | |
| ) | |
| # Create a Base64-encoded authorization string | |
| $Credentials = "$APIKey:$APISecret" | |
| $Base64Credentials = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes($Credentials)) | |
| $Headers = @{ | |
| "Authorization" = "Basic $Base64Credentials" | |
| } | |
| if ($Body) { | |
| $Body = $Body | ConvertTo-Json | |
| return Invoke-RestMethod -Uri $Uri -Method $Method -Body $Body -ContentType "application/json" -Headers $Headers -SkipCertificateCheck | |
| } else { | |
| return Invoke-RestMethod -Uri $Uri -Method $Method -Headers $Headers -SkipCertificateCheck | |
| } | |
| } | |
| # 1. Allow the Ubuntu, Windows Primary, and OPNsense machines to access the Internet | |
| $AllowInternetUri = "$BaseUri/firewall/rule" | |
| $AllowInternetBody = @{ | |
| interface = "wan" | |
| type = "pass" | |
| protocol = "any" | |
| source = @{ | |
| address = "192.168.100.110" | |
| type = "network" | |
| } | |
| destination = "any" | |
| description = "Allow Ubuntu and Windows Primary to access Internet" | |
| } | |
| Send-ApiRequest -Uri $AllowInternetUri -Method Post -Body $AllowInternetBody | |
| # 2. Disallow the Windows Secondary machine from accessing the Internet | |
| $BlockWindowsSecondaryUri = "$BaseUri/firewall/rule" | |
| $BlockWindowsSecondaryBody = @{ | |
| interface = "wan" | |
| type = "block" | |
| protocol = "any" | |
| source = @{ | |
| address = "192.168.100.120" | |
| type = "network" | |
| } | |
| destination = "any" | |
| description = "Block Windows Secondary from accessing Internet" | |
| } | |
| Send-ApiRequest -Uri $BlockWindowsSecondaryUri -Method Post -Body $BlockWindowsSecondaryBody | |
| # 3. Disallow ICMP packets from the Windows Secondary to OPNsense | |
| $BlockICMPSecUri = "$BaseUri/firewall/rule" | |
| $BlockICMPSecBody = @{ | |
| interface = "wan" | |
| type = "block" | |
| protocol = "icmp" | |
| source = @{ | |
| address = "192.168.100.120" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| description = "Block ICMP from Windows Secondary to OPNsense" | |
| } | |
| Send-ApiRequest -Uri $BlockICMPSecUri -Method Post -Body $BlockICMPSecBody | |
| # 4. Allow only Windows Primary to access the OPNsense web interface | |
| $AllowWebInterfaceUri = "$BaseUri/firewall/rule" | |
| $AllowWebInterfaceBody = @{ | |
| interface = "wan" | |
| type = "pass" | |
| protocol = "tcp" | |
| source = @{ | |
| address = "192.168.100.110" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| destinationport = "443" | |
| description = "Allow Windows Primary to access OPNsense web interface" | |
| } | |
| Send-ApiRequest -Uri $AllowWebInterfaceUri -Method Post -Body $AllowWebInterfaceBody | |
| # Block all other machines from accessing OPNsense web interface | |
| $BlockWebInterfaceUri = "$BaseUri/firewall/rule" | |
| $BlockWebInterfaceBody = @{ | |
| interface = "wan" | |
| type = "block" | |
| protocol = "tcp" | |
| source = @{ | |
| address = "192.168.100.0/24" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| destinationport = "443" | |
| description = "Block all other machines from accessing OPNsense web interface" | |
| } | |
| Send-ApiRequest -Uri $BlockWebInterfaceUri -Method Post -Body $BlockWebInterfaceBody | |
| # 5. Disallow Ubuntu and Windows Secondary from using SSH to access OPNsense | |
| # Allow Windows Primary to SSH | |
| $AllowSSHUri = "$BaseUri/firewall/rule" | |
| $AllowSSHBody = @{ | |
| interface = "wan" | |
| type = "pass" | |
| protocol = "tcp" | |
| source = @{ | |
| address = "192.168.100.110" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| destinationport = "22" | |
| description = "Allow Windows Primary to SSH into OPNsense" | |
| } | |
| Send-ApiRequest -Uri $AllowSSHUri -Method Post -Body $AllowSSHBody | |
| # Block Ubuntu from SSH | |
| $BlockUbuntuSSHUri = "$BaseUri/firewall/rule" | |
| $BlockUbuntuSSHBody = @{ | |
| interface = "wan" | |
| type = "block" | |
| protocol = "tcp" | |
| source = @{ | |
| address = "192.168.100.130" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| destinationport = "22" | |
| description = "Block Ubuntu from SSH into OPNsense" | |
| } | |
| Send-ApiRequest -Uri $BlockUbuntuSSHUri -Method Post -Body $BlockUbuntuSSHBody | |
| # Block Windows Secondary from SSH | |
| $BlockWinSecSSHUri = "$BaseUri/firewall/rule" | |
| $BlockWinSecSSHBody = @{ | |
| interface = "wan" | |
| type = "block" | |
| protocol = "tcp" | |
| source = @{ | |
| address = "192.168.100.120" | |
| type = "network" | |
| } | |
| destination = @{ | |
| address = "192.168.100.1" | |
| type = "host" | |
| } | |
| destinationport = "22" | |
| description = "Block Windows Secondary from SSH into OPNsense" | |
| } | |
| Send-ApiRequest -Uri $BlockWinSecSSHUri -Method Post -Body $BlockWinSecSSHBody |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment