-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #24 from browningluke/add_os-firewall_resources
Add os-firewall resources
- Loading branch information
Showing
19 changed files
with
1,864 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| page_title: "opnsense_firewall_filter Data Source - terraform-provider-opnsense" | ||
| subcategory: Firewall | ||
| description: |- | ||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
| --- | ||
|
|
||
| # opnsense_firewall_filter (Data Source) | ||
|
|
||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
|
|
||
| ~> This resource requires the `os-firewall` plugin to be installed. It will *not* behave correctly if it is not installed. | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `id` (String) UUID of the resource. | ||
|
|
||
| ### Read-Only | ||
|
|
||
| - `action` (String) Choose what to do with packets that match the criteria specified below. Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Available values: `pass`, `block`, `reject`. | ||
| - `description` (String) Optional description here for your reference (not parsed). | ||
| - `destination` (Attributes) (see [below for nested schema](#nestedatt--destination)) | ||
| - `direction` (String) Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic. Available values: `in`, `out`. | ||
| - `enabled` (Boolean) Enable this firewall filter rule. | ||
| - `gateway` (String) Leave as `""` to use the system routing table. Or choose a gateway to utilize policy based routing. | ||
| - `interface` (Set of String) The interface(s) on which the packets must come in to match this rule. | ||
| - `ip_protocol` (String) Select the Internet Protocol version this rule applies to. Available values: `inet`, `inet6`. | ||
| - `log` (Boolean) Log packets that are handled by this rule. | ||
| - `protocol` (String) Choose which IP protocol this rule should match. | ||
| - `quick` (Boolean) If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken. When a rule does not have quick enabled, the last matching rule wins. | ||
| - `sequence` (Number) Specify the order of this filter rule. | ||
| - `source` (Attributes) (see [below for nested schema](#nestedatt--source)) | ||
|
|
||
| <a id="nestedatt--destination"></a> | ||
| ### Nested Schema for `destination` | ||
|
|
||
| Read-Only: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the destination of the packet for this mapping. | ||
| - `port` (Number) Specify the port for the destination of the packet for this mapping. | ||
|
|
||
|
|
||
| <a id="nestedatt--source"></a> | ||
| ### Nested Schema for `source` | ||
|
|
||
| Read-Only: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the source of the packet for this mapping. | ||
| - `port` (Number) Specify the source port for this rule. This is usually random and almost never equal to the destination port range (and should usually be `-1`). | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| --- | ||
| page_title: "opnsense_firewall_nat Data Source - terraform-provider-opnsense" | ||
| subcategory: Firewall | ||
| description: |- | ||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
| --- | ||
|
|
||
| # opnsense_firewall_nat (Data Source) | ||
|
|
||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
|
|
||
| ~> This resource requires the `os-firewall` plugin to be installed. It will *not* behave correctly if it is not installed. | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `id` (String) UUID of the resource. | ||
|
|
||
| ### Read-Only | ||
|
|
||
| - `description` (String) Optional description here for your reference (not parsed). | ||
| - `destination` (Attributes) (see [below for nested schema](#nestedatt--destination)) | ||
| - `disable_nat` (Boolean) Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules. | ||
| - `enabled` (Boolean) Enable this firewall NAT rule. | ||
| - `interface` (String) The interface on which packets must come in to match this rule. | ||
| - `ip_protocol` (String) Select the Internet Protocol version this rule applies to. Available values: `inet`, `inet6`. | ||
| - `log` (Boolean) Log packets that are handled by this rule. | ||
| - `protocol` (String) Choose which IP protocol this rule should match. | ||
| - `sequence` (Number) Specify the order of this NAT rule. | ||
| - `source` (Attributes) (see [below for nested schema](#nestedatt--source)) | ||
| - `target` (Attributes) (see [below for nested schema](#nestedatt--target)) | ||
|
|
||
| <a id="nestedatt--destination"></a> | ||
| ### Nested Schema for `destination` | ||
|
|
||
| Read-Only: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the destination of the packet for this mapping. | ||
| - `port` (Number) Specify the port for the destination of the packet for this mapping. | ||
|
|
||
|
|
||
| <a id="nestedatt--source"></a> | ||
| ### Nested Schema for `source` | ||
|
|
||
| Read-Only: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the source of the packet for this mapping. | ||
| - `port` (Number) Specify the source port for this rule. This is usually random and almost never equal to the destination port range (and should usually be `-1`). | ||
|
|
||
|
|
||
| <a id="nestedatt--target"></a> | ||
| ### Nested Schema for `target` | ||
|
|
||
| Read-Only: | ||
|
|
||
| - `ip` (String) Specify the IP address or alias for the packets to be mapped to. | ||
| - `port` (Number) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,135 @@ | ||
| --- | ||
| page_title: "opnsense_firewall_filter Resource - terraform-provider-opnsense" | ||
| subcategory: Firewall | ||
| description: |- | ||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
| --- | ||
|
|
||
| # opnsense_firewall_filter (Resource) | ||
|
|
||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
|
|
||
| ~> This resource requires the `os-firewall` plugin to be installed. It will *not* behave correctly if it is not installed. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "opnsense_firewall_filter" "example_one" { | ||
| enabled = false | ||
| sequence = 1 | ||
| action = "block" | ||
| quick = false | ||
| interface = [ | ||
| "lan", | ||
| "lo0", | ||
| ] | ||
| direction = "in" | ||
| ip_protocol = "inet" | ||
| protocol = "UDP" | ||
| source = { | ||
| net = "any" | ||
| invert = true | ||
| } | ||
| destination = { | ||
| net = "examplealias" | ||
| port = 443 | ||
| } | ||
| log = false | ||
| description = "example rule" | ||
| } | ||
| resource "opnsense_firewall_filter" "example_two" { | ||
| action = "pass" | ||
| interface = [ | ||
| "wan", | ||
| ] | ||
| direction = "in" | ||
| protocol = "TCP" | ||
| source = { | ||
| net = "wan" # This is equiv. to WAN Net | ||
| } | ||
| destination = { | ||
| net = "10.8.0.1" | ||
| port = 443 | ||
| } | ||
| description = "example rule" | ||
| } | ||
| resource "opnsense_firewall_filter" "example_three" { | ||
| action = "pass" | ||
| interface = [ | ||
| "wan", | ||
| ] | ||
| direction = "out" | ||
| protocol = "TCP" | ||
| source = { | ||
| net = "192.168.0.0/16" | ||
| } | ||
| destination = { | ||
| net = "wanip" # This is equiv. to WAN Address | ||
| port = 443 | ||
| } | ||
| description = "example rule" | ||
| log = true | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `action` (String) Choose what to do with packets that match the criteria specified below. Hint: the difference between block and reject is that with reject, a packet (TCP RST or ICMP port unreachable for UDP) is returned to the sender, whereas with block the packet is dropped silently. In either case, the original packet is discarded. Available values: `pass`, `block`, `reject`. | ||
| - `direction` (String) Direction of the traffic. The default policy is to filter inbound traffic, which sets the policy to the interface originally receiving the traffic. Available values: `in`, `out`. | ||
| - `interface` (Set of String) Choose on which interface(s) packets must come in to match this rule. Must specify at least 1. | ||
| - `protocol` (String) Choose which IP protocol this rule should match. | ||
|
|
||
| ### Optional | ||
|
|
||
| - `description` (String) Optional description here for your reference (not parsed). | ||
| - `destination` (Attributes) (see [below for nested schema](#nestedatt--destination)) | ||
| - `enabled` (Boolean) Enable this firewall filter rule. Defaults to `true`. | ||
| - `gateway` (String) Leave as `""` to use the system routing table. Or choose a gateway to utilize policy based routing. Defaults to `""`. | ||
| - `ip_protocol` (String) Select the Internet Protocol version this rule applies to. Available values: `inet`, `inet6`. Defaults to `inet`. | ||
| - `log` (Boolean) Log packets that are handled by this rule. Defaults to `false`. | ||
| - `quick` (Boolean) If a packet matches a rule specifying quick, then that rule is considered the last matching rule and the specified action is taken. When a rule does not have quick enabled, the last matching rule wins. Defaults to `true`. | ||
| - `sequence` (Number) Specify the order of this filter rule. Defaults to `1`. | ||
| - `source` (Attributes) (see [below for nested schema](#nestedatt--source)) | ||
|
|
||
| ### Read-Only | ||
|
|
||
| - `id` (String) UUID of the resource. | ||
|
|
||
| <a id="nestedatt--destination"></a> | ||
| ### Nested Schema for `destination` | ||
|
|
||
| Optional: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. Defaults to `false`. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the destination of the packet for this mapping. For `<INT> net`, enter `<int>` (e.g. `lan`). For `<INT> address`, enter `<int>ip` (e.g. `lanip`). Defaults to `any`. | ||
| - `port` (Number) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. Defaults to `-1`. | ||
|
|
||
|
|
||
| <a id="nestedatt--source"></a> | ||
| ### Nested Schema for `source` | ||
|
|
||
| Optional: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. Defaults to `false`. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the source of the packet for this mapping. For `<INT> net`, enter `<int>` (e.g. `lan`). For `<INT> address`, enter `<int>ip` (e.g. `lanip`). Defaults to `any`. | ||
| - `port` (Number) Specify the source port for this rule. This is usually random and almost never equal to the destination port range (and should usually be `-1`). Defaults to `-1`. | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,132 @@ | ||
| --- | ||
| page_title: "opnsense_firewall_nat Resource - terraform-provider-opnsense" | ||
| subcategory: Firewall | ||
| description: |- | ||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
| --- | ||
|
|
||
| # opnsense_firewall_nat (Resource) | ||
|
|
||
| Firewall filter rules can be used to restrict or allow traffic from and/or to specific networks as well as influence how traffic should be forwarded | ||
|
|
||
| ~> This resource requires the `os-firewall` plugin to be installed. It will *not* behave correctly if it is not installed. | ||
|
|
||
| ## Example Usage | ||
|
|
||
| ```terraform | ||
| resource "opnsense_firewall_nat" "example_one" { | ||
| disable_nat = true | ||
| interface = "wan" | ||
| protocol = "TCP" | ||
| target = { | ||
| ip = "wanip" | ||
| } | ||
| log = true | ||
| description = "Example" | ||
| } | ||
| resource "opnsense_firewall_nat" "example_two" { | ||
| enabled = false | ||
| interface = "wan" | ||
| protocol = "TCP" | ||
| source = { | ||
| net = "wan" # This is equiv. to WAN Net | ||
| } | ||
| destination = { | ||
| net = "10.8.0.1" | ||
| port = 443 | ||
| } | ||
| target = { | ||
| ip = "wanip" | ||
| port = 80 | ||
| } | ||
| log = true | ||
| description = "Example" | ||
| } | ||
| resource "opnsense_firewall_nat" "example_three" { | ||
| interface = "wan" | ||
| protocol = "TCP" | ||
| source = { | ||
| net = "192.168.0.0/16" # This is equiv. to WAN Net | ||
| invert = true | ||
| } | ||
| destination = { | ||
| net = "examplealias" | ||
| port = 443 | ||
| } | ||
| target = { | ||
| ip = "wanip" | ||
| port = 443 | ||
| } | ||
| description = "Example" | ||
| } | ||
| ``` | ||
|
|
||
| <!-- schema generated by tfplugindocs --> | ||
| ## Schema | ||
|
|
||
| ### Required | ||
|
|
||
| - `interface` (String) Choose on which interface(s) packets must come in to match this rule. | ||
| - `protocol` (String) Choose which IP protocol this rule should match. | ||
| - `target` (Attributes) (see [below for nested schema](#nestedatt--target)) | ||
|
|
||
| ### Optional | ||
|
|
||
| - `description` (String) Optional description here for your reference (not parsed). | ||
| - `destination` (Attributes) (see [below for nested schema](#nestedatt--destination)) | ||
| - `disable_nat` (Boolean) Enabling this option will disable NAT for traffic matching this rule and stop processing Outbound NAT rules. Defaults to `false`. | ||
| - `enabled` (Boolean) Enable this firewall NAT rule. Defaults to `true`. | ||
| - `ip_protocol` (String) Select the Internet Protocol version this rule applies to. Available values: `inet`, `inet6`. Defaults to `inet`. | ||
| - `log` (Boolean) Log packets that are handled by this rule. Defaults to `false`. | ||
| - `sequence` (Number) Specify the order of this NAT rule. Defaults to `1`. | ||
| - `source` (Attributes) (see [below for nested schema](#nestedatt--source)) | ||
|
|
||
| ### Read-Only | ||
|
|
||
| - `id` (String) UUID of the resource. | ||
|
|
||
| <a id="nestedatt--target"></a> | ||
| ### Nested Schema for `target` | ||
|
|
||
| Required: | ||
|
|
||
| - `ip` (String) Specify the IP address or alias for the packets to be mapped to. For `<INT> address`, enter `<int>ip` (e.g. `lanip`). | ||
|
|
||
| Optional: | ||
|
|
||
| - `port` (Number) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. Defaults to `-1`. | ||
|
|
||
|
|
||
| <a id="nestedatt--destination"></a> | ||
| ### Nested Schema for `destination` | ||
|
|
||
| Optional: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. Defaults to `false`. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the destination of the packet for this mapping. For `<INT> net`, enter `<int>` (e.g. `lan`). For `<INT> address`, enter `<int>ip` (e.g. `lanip`). Defaults to `any`. | ||
| - `port` (Number) Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash. Defaults to `-1`. | ||
|
|
||
|
|
||
| <a id="nestedatt--source"></a> | ||
| ### Nested Schema for `source` | ||
|
|
||
| Optional: | ||
|
|
||
| - `invert` (Boolean) Use this option to invert the sense of the match. Defaults to `false`. | ||
| - `net` (String) Specify the IP address, CIDR or alias for the source of the packet for this mapping. For `<INT> net`, enter `<int>` (e.g. `lan`). For `<INT> address`, enter `<int>ip` (e.g. `lanip`). Defaults to `any`. | ||
| - `port` (Number) Specify the source port for this rule. This is usually random and almost never equal to the destination port range (and should usually be `-1`). Defaults to `-1`. | ||
|
|
Oops, something went wrong.