OPNsense Alias Updates via scripting
Intro
In this example I show you how to update the aliases of the opnsense fiewall with a simple shell script.
The example script asks for the current IPs/Networks from the official data endpoint https://ip-ranges.amazonaws.com/ip-ranges.json and extracts with jq the respective IP/range which can be restricted with section. The output of stdr is stored in a file. Then curl reads each line of the file and updates the firewall alias API endpoint.
Script
1#!/usr/bin/env sh
2set -Eeuo pipefail
3FILENAME="amazon_aws_complete-ipv4.txt"
4FWIP=172.22.40.253
5OPNSENSE_KEY=""
6OPNSENSE_SECRET=""
7ALIAS=AMAZON_IPS
8
9# if file exists
10if test -f "$FILENAME";
11then
12IPLISTS=$(cat $FILENAME)
13#delete IP addresses loop
14 for IPLIST in $IPLISTS
15 do
16 curl -X POST -d '{"address":"'$IPLIST'"}' -H 'Content-Type: application/json' -k -u $OPNSENSE_KEY:$OPNSENSE_SECRET https://$FWIP/api/firewall/alias_util/delete/$ALIAS
17 done ;
18fi
19# dns lookup, add only IPs to file
20#!/bin/bash
21# https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html
22
23# get AWS public ranges
24curl -s https://ip-ranges.amazonaws.com/ip-ranges.json > /tmp/amazon.json
25
26# save ipv4
27jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="S3") | .ip_prefix' -r /tmp/amazon.json > /tmp/amazon-ipv4.txt
28jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="S3") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
29jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="S3") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
30jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="KINESIS_VIDEO_STREAMS") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
31jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="KINESIS_VIDEO_STREAMS") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
32jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="KINESIS_VIDEO_STREAMS") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
33jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="DYNAMODB") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
34jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="DYNAMODB") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
35jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="DYNAMODB") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
36jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="GLOBALACCELERATOR") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
37jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="GLOBALACCELERATOR") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
38jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="GLOBALACCELERATOR") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
39jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="CLOUDFRONT") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
40jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="CLOUDFRONT") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
41jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="CLOUDFRONT") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
42jq -r '.prefixes[] | select(.region=="eu-west-1") | select(.service=="CLOUDFRONT_ORIGIN_FACING") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
43jq -r '.prefixes[] | select(.region=="eu-west-2") | select(.service=="CLOUDFRONT_ORIGIN_FACING") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
44jq -r '.prefixes[] | select(.region=="eu-central-1") | select(.service=="CLOUDFRONT_ORIGIN_FACING") | .ip_prefix' -r /tmp/amazon.json >> /tmp/amazon-ipv4.txt
45
46# save ipv6
47#jq '.ipv6_prefixes[] | select(.region=="eu-west-1") | .ip_prefix' -r /tmp/amazon.json > /tmp/amazon-ipv6.txt
48
49
50# sort & uniq
51sort -h /tmp/amazon-ipv4.txt | uniq > $FILENAME
52#sort -h /tmp/amazon-ipv6.txt | uniq > amazon_aws_complete-ipv6.txt
53
54IPLISTS=$(cat $FILENAME)
55
56# add IP addresses loop
57for IPLIST in $IPLISTS
58 do
59 curl -X POST -d '{"address":"'$IPLIST'"}' -H 'Content-Type: application/json' -k -u $OPNSENSE_KEY:$OPNSENSE_SECRET https://$FWIP/api/firewall/alias_util/add/$ALIAS
60done
61#reload FW
62curl -X POST -d "" -k -u $OPNSENSE_KEY:$OPNSENSE_SECRET https://$FWIP/api/firewall/alias/reconfigure
Reference
https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html