v0.0.6

Makefile

@@ -1,5 +1,5 @@
 PLUGIN_NAME=		crowdsec
-PLUGIN_VERSION=		0.0.5
+PLUGIN_VERSION=		0.0.6
 #PLUGIN_REVISION=	1
 PLUGIN_DEPENDS=		crowdsec crowdsec-firewall-bouncer
 PLUGIN_COMMENT=		Lightweight and collaborative security engine

README.md

@@ -6,14 +6,14 @@ This OPNsense plugin is still under testing before GA release.
 
 Feel free to try it but note that
 
- * **In this pre-release version you have to manually create aliases and rules** (see under Configuration)
-   otherwise the bouncer will seem to work but not block any packet.
+ * In this pre-release version you may need some manual steps, see below under Configuration
+   and under Upgrade.
 
  * It has been tested with 21.7 and 22.1, but you have to disable circular logs under 21.7
 
  * you need to install the latest crowdsec and crowdsec-firewall-bouncer from
    this repository because they are not yet available in the upstream
-   repositories. Previous versions won't work properly.
+   repositories. Previous versions may not work properly.
 
  * Don't expect many features on the web interface. Feel free to give us a feel
    of your priorities. The command line should work the same as under Linux.
@@ -28,29 +28,38 @@ Feel free to try it but note that
 Installation
 ------------
 
+> If you have previously used v0.0.5, you had to create a couple of Alias and
+> related Rules objects in the admin interface. This is not necessary anymore.
+> It's a good idea to remove them before upgrading, to avoid any conflict and
+> test the new automated configuration. You can do that under Firewall -> Aliases
+> and Firewall -> Rules -> Floating.
+>
+> The plugin will re-create the Alias objects and two associated floating rules
+> (automatically generated, hidden by default).
+
 Once the plugin is released, you will be able to install it from the OPNsense admin interface.
 
 For now, to install it you need OPNsense 21.7 or 22.1, then download:
 
- * crowdsec-1.3.0.txz
- * crowdsec-firewall-bouncer-0.0.22_2.txz
- * os-crowdsec-0.0.5.txz
+ * crowdsec-1.3.1.r1.txz
+ * crowdsec-firewall-bouncer-0.0.23.r2.txz
+ * os-crowdsec-0.0.6.txz
 
 You find them in the
 [Releases](https://github.com/crowdsecurity/opnsense-plugin-crowdsec/releases)
-page, under "Assets". For example, `opnsense_22.1-freebsd_13-oscrowdsec_0.0.5.tar` contains
+page, under "Assets". For example, `opnsense_22.1-freebsd_13-oscrowdsec_0.0.6.tar` contains
 the three files listed above.
 
 Copy them to your firewall instance with scp, then install the packages in the
 following order but do *not* enable them like the post-install messages say.
 These instruction are for using them without OPNsense.
 
 ```
-# pkg add ./crowdsec-1.3.0.txz
+# pkg add ./crowdsec-1.3.1.r1.txz
 ...
-# pkg add ./crowdsec-firewall-bouncer-0.0.22_2.txz
+# pkg add ./crowdsec-firewall-bouncer-0.0.23.r2.txz
 ...
-# pkg add ./os-crowdsec-0.0.5.txz
+# pkg add ./os-crowdsec-0.0.6.txz
 ...
 ```
 
@@ -65,54 +74,10 @@ These instruction are for using them without OPNsense.
 Configuration
 -------------
 
-The following steps have not yet been automated. They will not be necessary in the final version.
-
-
- * Add a couple of Alias objects in the OPNsense admin interface (menu Firewall -> Aliases).
-
-One for IPv4 (crowdsec_blacklists), one for IPv6 (crowdsec6_blacklists)
-
-<kbd>
-  <img src="/docs/images/aliases_list.png" />
-</kbd>
-
- * They must be of type "External".
-
-<kbd>
-  <img src="/docs/images/alias_details.png" />
-</kbd>
-
- * Now you have to add two rules, one for each Alias, under Firewall -> Rules -> Floating.
-
-<kbd>
-  <img src="/docs/images/rules_list.png" />
-</kbd>
-
- * You must select Action = Block, Quick = yes, Type = IPv4, Source: crowdsec_blacklists.
-
-Leave the rest as defaults, add a description if you want.
-
-<kbd>
-  <img src="/docs/images/rule_details.png" />
-</kbd>
-
- * Create a second rule for the IPv6 alias.
-
- * Click on "Apply changes" at the top of the page.
-
+The creation of firewall tables and rules has now been automated, you don't need
+to do anything.
 
- * Finally, you have to add these lines to `/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml`:
-
-```
-blacklists_ipv4: crowdsec_blacklists
-blacklists_ipv6: crowdsec6_blacklists
-pf:
-  anchor_name: ''
-```
-
- * Then apply the changes with `configctl crowdsec reconfigure`.
-
-You should now be able to see the blocked IPs in Firewall -> Diagnostics -> Aliases.
+You should already be able to see the blocked IPs in Firewall -> Diagnostics -> Aliases.
 
 A quick way to test that everything is working correctly is to execute the
 following command. Your ssh session should freeze and kick you out. You will
@@ -125,19 +90,38 @@ connect, should anything go wrong.
 ```
 
 
-
 Upgrade
 -------
 
-Download the new version and use "pkg upgrade" instead of "pkg add".
+> From v0.0.5: remove the Alias objects named `crowdsec_blackslists` and
+> `crowdsec6_blacklists`, and the rules of the same name.
+
+Download the new version of the plugin, extract and use "pkg upgrade" instead of "pkg add".
 
 You can also use "pkg remove crowdsec crowdsec-firewall-bouncer oscrowdsec"
 followed by the three "pkg add", but respect the installation order.
 
 
+Uninstalling
+------------
+
+If you want to completely remove the plugin and all its configuration, uninstall
+it from the admin interface, then:
+
+ - remove the two Alias objects `crowdsec_blacklists` and `crowdsec6_blacklists`
+ - `pkg remove crowdsec crowdsec-firewall-bouncer`
+ - `rm -rf /var/log/crowdsec /usr/local/etc/crowdsec`
+
+
 Changelog
 ---------
 
+v0.0.6
+
+ - crowdsec update 1.3.1.r1
+ - bouncer update to 0.0.23.r1
+ - automated creation of Alias and Rule objects
+
 v0.0.5
 
  - fixed an issue that prevented the bouncer from banning IPs on opnsense

src/etc/inc/plugins.inc.d/crowdsec.inc

@@ -3,21 +3,66 @@
 // SPDX-License-Identifier: MIT
 // SPDX-FileCopyrightText: © 2021 CrowdSec <info@crowdsec.net>
 
-function crowdsec_enabled()
+use OPNsense\Core\Config;
+
+function bouncer_enabled()
 {
     global $config;
 
     return isset($config['OPNsense']['crowdsec']['general']['firewall_bouncer_enabled']) &&
     $config['OPNsense']['crowdsec']['general']['firewall_bouncer_enabled'] == 1;
 }
 
-function crowdsec_firewall($fw)
+function add_alias_if_not_exist($name, $description, $proto) {
+    $model = new OPNsense\Firewall\Alias();
+    foreach ($model->aliases->alias->iterateItems() as $alias) {
+        if ((string)$alias->name == $name) {
+            return;
+        }
+    }
+
+    $new_alias = $model->aliases->alias->Add();
+    $new_alias->name = $name;
+    $new_alias->description = $description;
+    $new_alias->proto = $proto;
+    $new_alias->type = 'external';
+    $model->serializeToConfig();
+    Config::getInstance()->save();
+}
+
+function crowdsec_firewall(\OPNsense\Firewall\Plugin $fw)
 {
-    if (!crowdsec_enabled()) {
+    if (!bouncer_enabled()) {
         return;
     }
 
-    $fw->registerAnchor('crowdsec', 'fw');
+    add_alias_if_not_exist('crowdsec_blacklists', 'CrowdSec (IPv4)', 'IPv4');
+
+    $fw->registerFilterRule(
+        1, /* priority */
+        array(
+            'ipprotocol'     => 'inet',
+            'descr'          => 'CrowdSec (IPv4)',
+            'from'           => '$crowdsec_blacklists',     # $ to reference an alias
+            'type'           => 'block',
+            'quick'          => true
+        ),
+        null
+    );
+
+    add_alias_if_not_exist('crowdsec6_blacklists', 'CrowdSec (IPv6)', 'IPv6');
+
+    $fw->registerFilterRule(
+        1, /* priority */
+        array(
+            'ipprotocol'     => 'inet6',
+            'descr'          => 'CrowdSec (IPv6)',
+            'from'           => '$crowdsec6_blacklists',    # $ to reference an alias
+            'type'           => 'block',
+            'quick'          => true
+        ),
+        null
+    );
 }
 
 function crowdsec_services()

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/AlertsController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list alerts");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/BouncersController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list bouncers");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/CollectionsController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list collections");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/DecisionsController.php

@@ -40,7 +40,7 @@ public function deleteAction($decision_id)
                 // why does the action return \n\n for empty output?
                 if (trim($bckresult) === '') {
                     return array("message" => "OK");
-                };
+                }
                 // TODO handle error
                 return array("message" => $bckresult);
             }
@@ -50,5 +50,4 @@ public function deleteAction($decision_id)
             $this->response->setHeader("Allow", "DELETE");
         }
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/MachinesController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list machines");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ParsersController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list parsers");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/PostoverflowsController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list postoverflows");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ScenariosController.php

@@ -30,5 +30,4 @@ public function getAction()
         }
         return array("message" => "unable to list scenarios");
     }
-
 }

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/ServiceController.php

@@ -43,23 +43,21 @@ public function statusAction()
         $backend = new Backend();
         $response = $backend->configdRun("crowdsec crowdsec-status");
 
+        $status = "unkown";
         if (strpos($response, "not running") > 0) {
             $status = "stopped";
         } elseif (strpos($response, "is running") > 0) {
             $status = "running";
-        } else {
-            $status = "unkown";
-        };
+        }
 
         $response = $backend->configdRun("crowdsec crowdsec-firewall-status");
 
+        $firewall_status = "unknown";
         if (strpos($response, "not running") > 0) {
             $firewall_status = "stopped";
         } elseif (strpos($response, "is running") > 0) {
             $firewall_status = "running";
-        } else {
-            $firewall_status = "unknown";
-        };
+        }
 
         return array(
             "crowdsec-status" => $status,

src/opnsense/mvc/app/controllers/OPNsense/CrowdSec/Api/VersionController.php

@@ -25,5 +25,4 @@ public function getAction()
         $backend = new Backend();
         return $backend->configdRun("crowdsec version");
     }
-
 }

src/opnsense/mvc/app/models/OPNsense/CrowdSec/General.xml

@@ -1,7 +1,7 @@
 <model>
   <mount>//OPNsense/crowdsec/general</mount>
   <description>CrowdSec general configuration</description>
-  <version>0.0.5</version>
+  <version>0.0.6</version>
   <items>
     <agent_enabled type="BooleanField">
       <default>0</default>

src/opnsense/scripts/OPNsense/CrowdSec/hub-upgrade.sh

@@ -8,6 +8,11 @@ fi
     && /usr/local/bin/cscli --error hub upgrade
 
 if service crowdsec enabled; then
-    ( service crowdsec restart || service crowdsec start ) >/dev/null
+    # have to check status explicitly because "restart" can set $? = 0 even when failing
+    if service crowdsec status >/dev/null 2>&1; then
+        service crowdsec start >/dev/null 2>&1 || :
+    else
+        service crowdsec restart >/dev/null 2>&1 || :
+    fi
 fi
 

src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.py

@@ -5,6 +5,7 @@
 agent_config_path = '/usr/local/etc/crowdsec/config.yaml'
 bouncer_config_path = '/usr/local/etc/crowdsec/bouncers/crowdsec-firewall-bouncer.yaml'
 
+
 def configure_agent():
     with open(agent_config_path) as fin:
         config = yaml.safe_load(fin)

src/opnsense/scripts/OPNsense/CrowdSec/reconfigure.sh

@@ -18,7 +18,12 @@ set -e
 
 # crowdsec was already restarted by hub-upgrade.sh
 if service crowdsec_firewall enabled; then
-    ( service crowdsec_firewall restart || service crowdsec_firewall start ) >/dev/null
+    # have to check status explicitly because "restart" can set $? = 0 even when failing
+    if service crowdsec_firewall status >/dev/null 2>&1; then
+        service crowdsec_firewall restart >/dev/null 2>&1 || :
+    else
+        service crowdsec_firewall start >/dev/null 2>&1 || :
+    fi
 fi
 
 echo "OK"