Files
claudetools/.claude/skills/unifi-wifi/scripts/gw-control.sh
Howard Enos 1118594cd2 unifi-wifi: pfSense gateway compat layer (§E) — REST backend + dispatch inside gw-audit/gw-control
Per Howard's decision (2026-06-16, "try what Mike wanted"): Mike's §E open decisions resolved as
REST API package backend + dispatch INSIDE the existing gateway verbs (his lean), not sibling scripts.

- NEW scripts/pfsense-backend.sh: pfSense REST API (pfSense-pkg-RESTAPI v2, X-API-Key) driver exposing
  the same verbs as gw-control (audit, pf-list/disable/enable/delete/set-ports, fw-list/disable/enable,
  block-ips) + a `setup` helper. Writes --apply-gated with per-object rollback to .claude/tmp + firewall/apply.
- gw-audit.sh: when num_gw=0 and a clients/<slug>/pfsense-api cred is vaulted (or --pfsense <slug>),
  appends the pfSense WAN/DHCP/firewall audit; else prints the setup hint. (captures num_gw to gate.)
- gw-control.sh: same-verb auto-dispatch to pfsense-backend when a pfSense cred resolves for the site.
- SKILL.md [PROPOSED]->[SCAFFOLDED]; ROADMAP §E open decisions marked resolved.

STATUS: scaffolded. BLOCKED/setup/no-cred paths tested; gw-audit dispatch validated live (Cascades
num_gw=0 -> hint). Live REST calls pending a reachable pfSense with the API pkg + a vaulted key; v2
endpoint paths must be verified against the installed API version on first live run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-16 13:51:10 -07:00

246 lines
14 KiB
Bash

#!/usr/bin/env bash
# gw-control.sh — gateway (USG/UXG/UDM) ROUTER actions: port-forwards + WAN firewall rules.
# The write-side companion to gw-audit.sh (which surfaces WAN exposure / open forwards). Lets you
# close or scope an internet-facing port-forward (e.g. a brute-forced PPTP/RDP/SMB), toggle a WAN
# firewall rule (e.g. a GRE allow that backs PPTP), and drop a list of attacker IPs at the edge.
#
# pf-list list all port-forwards (id, on/off, proto, ports, dst, src)
# pf-disable <name|id> disable a port-forward (keeps it, stops the exposure)
# pf-enable <name|id> re-enable a port-forward
# pf-delete <name|id> delete a port-forward
# pf-set-ports <name|id> <dst> [<fwd>] change dst_port (and fwd_port; default fwd=dst). e.g. drop
# 1723 from "80,443,1723": pf-set-ports VPN 80,443
# pf-set-src <name|id> <cidr|any> restrict the SOURCE of a port-forward (e.g. an office /32)
# fw-list list firewall rules (ruleset #index id action name on/off)
# fw-disable <name|id> disable a firewall rule (e.g. a "GRE" WAN_IN accept)
# fw-enable <name|id>
# block-ips <ip[,ip,...]> [--group N] create/append a WAN address-group + a WAN_IN drop rule
#
# DRY-RUN by default; --apply gated behind infrastructure/uos-server-network-api-rw. Reads via Mongo
# (no cred); writes via the controller REST (login -> GET/modify -> PUT|POST|DELETE on
# rest/portforward | rest/firewallrule | rest/firewallgroup). Rollback auto-saved to .claude/tmp.
# Controller-side -> any UOS site. PPTP needs BOTH tcp 1723 AND the GRE WAN_IN rule, so closing PPTP
# usually = pf-set-ports (drop 1723) + fw-disable the GRE rule.
#
# Usage: bash .claude/skills/unifi-wifi/scripts/gw-control.sh <site> <action> [args] [--apply]
set -uo pipefail
REPO="$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
UOS="$REPO/.claude/scripts/uos-mongo.sh"; VAULT="$REPO/.claude/scripts/vault.sh"
SITEARG="${1:?usage: gw-control.sh <site> <action> [args] [--apply]}"
ACT="${2:?action: pf-list|pf-disable|pf-enable|pf-delete|pf-set-ports|pf-set-src|fw-list|fw-disable|fw-enable|block-ips}"
shift 2
APPLY=0; GROUP="gw-control blocklist"; PFARG=""; POS=()
while [ $# -gt 0 ]; do
case "$1" in
--apply) APPLY=1; shift;;
--group) GROUP="${2:?--group needs a name}"; shift 2;;
--pfsense) PFARG="${2:?--pfsense needs a slug/vault-path}"; shift 2;; # route to pfSense backend (§E)
*) POS+=("$1"); shift;;
esac
done
# resolve SITE (24-hex id, or fuzzy name via --sites)
if [[ "$SITEARG" =~ ^[0-9a-f]{24}$ ]]; then SITE="$SITEARG"; else
SITE="$(bash "$UOS" --sites 2>/dev/null | grep -vi 'pq.html' | grep -i "$SITEARG" | awk '{print $1}' | head -1)"; fi
[ -n "$SITE" ] || { echo "[ERROR] site not found: $SITEARG"; exit 1; }
MONGO_CLEAN='grep -viE pq.html|post-quantum|store now|server may need'
# ---------- pfSense dispatch (ROADMAP §E): gateway is pfSense (vaulted API cred) -> same verbs, pfSense backend ----------
# pfSense isn't on the UOS controller, so the UniFi Mongo/REST path below would find nothing. If a
# pfSense REST API cred is vaulted for this site, route the SAME verb (pf-*/fw-*/block-ips) to it.
pf_cands=()
[ -n "$PFARG" ] && { case "$PFARG" in */*) pf_cands+=("$PFARG");; *) pf_cands+=("clients/$PFARG/pfsense-api");; esac; }
pf_cands+=("clients/$SITEARG/pfsense-api")
for cand in "${pf_cands[@]}"; do
if [ -n "$(bash "$VAULT" get-field "$cand" credentials.apikey 2>/dev/null || bash "$VAULT" get-field "$cand" apikey 2>/dev/null)" ]; then
echo "[INFO] pfSense gateway (cred vault:$cand) -> dispatching '$ACT' to pfsense-backend.sh"
args=("$cand" "$ACT"); [ ${#POS[@]} -gt 0 ] && args+=("${POS[@]}")
[ "$ACT" = "block-ips" ] && args+=(--alias "${GROUP// /_}")
[ "$APPLY" = "1" ] && args+=(--apply)
exec bash "$REPO/.claude/skills/unifi-wifi/scripts/pfsense-backend.sh" "${args[@]}"
fi
done
# ---------- READ-ONLY listers (Mongo, no cred) ----------
pf_list() {
cat <<JS | bash "$UOS" 2>&1 | grep -viE 'pq.html|post-quantum|store now|server may need'
db.portforward.find({site_id:"$SITE"}).forEach(function(p){
print((p.enabled?"[on] ":"[off] ")+"id="+p._id+" name='"+(p.name||"")+"' "+(p.proto||"")+
" dst_port="+(p.dst_port||"")+" -> "+(p.fwd||"")+":"+(p.fwd_port||"")+" src="+(p.src||"any"));
});
JS
}
fw_list() {
cat <<JS | bash "$UOS" 2>&1 | grep -viE 'pq.html|post-quantum|store now|server may need'
db.firewallrule.find({site_id:"$SITE"}).sort({ruleset:1,rule_index:1}).forEach(function(r){
var src=(r.src_firewallgroup_ids&&r.src_firewallgroup_ids.length)?(" src_grp="+r.src_firewallgroup_ids.join(",")):"";
print((r.enabled?"[on] ":"[off] ")+r.ruleset+" #"+r.rule_index+" id="+r._id+" "+r.action+
" '"+(r.name||"")+"' proto="+(r.protocol||"")+(r.dst_port?(" dst_port="+r.dst_port):"")+src);
});
JS
}
case "$ACT" in
pf-list) echo "[INFO] site=$SITE port-forwards:"; pf_list; exit 0;;
fw-list) echo "[INFO] site=$SITE firewall rules:"; fw_list; exit 0;;
esac
# ---------- DRY-RUN preview for write actions (Mongo lookup of the target) ----------
TARGET="${POS[0]:-}"
echo "[INFO] site=$SITE action=$ACT target='${TARGET:-}' mode=$([ $APPLY = 1 ] && echo APPLY || echo DRY-RUN)"
case "$ACT" in
pf-disable|pf-enable|pf-delete|pf-set-ports|pf-set-src)
[ -n "$TARGET" ] || { echo "[ERROR] $ACT needs <name|id>"; exit 1; }
echo " --- current matching port-forward(s) ---"
cat <<JS | bash "$UOS" 2>&1 | grep -viE 'pq.html|post-quantum|store now|server may need'
var T="$TARGET";
db.portforward.find({site_id:"$SITE"}).forEach(function(p){
if(p._id===T || (p.name&&p.name.toLowerCase()===T.toLowerCase())){
print(" [on?"+p.enabled+"] id="+p._id+" name='"+(p.name||"")+"' "+(p.proto||"")+" dst_port="+(p.dst_port||"")+" -> "+(p.fwd||"")+":"+(p.fwd_port||"")+" src="+(p.src||"any"));
}
});
JS
;;
fw-disable|fw-enable)
[ -n "$TARGET" ] || { echo "[ERROR] $ACT needs <name|id>"; exit 1; }
echo " --- current matching firewall rule(s) ---"
cat <<JS | bash "$UOS" 2>&1 | grep -viE 'pq.html|post-quantum|store now|server may need'
var T="$TARGET";
db.firewallrule.find({site_id:"$SITE"}).forEach(function(r){
if(r._id===T || (r.name&&r.name.toLowerCase()===T.toLowerCase())){
print(" ["+r.ruleset+" #"+r.rule_index+" on?"+r.enabled+"] id="+r._id+" "+r.action+" '"+(r.name||"")+"'");
}
});
JS
;;
block-ips)
[ -n "$TARGET" ] || { echo "[ERROR] block-ips needs <ip[,ip,...]>"; exit 1; }
echo " would create/append WAN address-group '$GROUP' with: $TARGET"
echo " and ensure a WAN_IN drop rule referencing it (high priority)."
;;
*) echo "[ERROR] unknown action: $ACT"; exit 1;;
esac
if [ "$APPLY" != "1" ]; then
echo; echo "[dry-run] no changes made. Add --apply to write (needs the RW admin vaulted)."
exit 0
fi
# ---------- WRITE PATH (controller REST, gated) ----------
RWP="infrastructure/uos-server-network-api-rw"
export RW_U="$(bash "$VAULT" get-field "$RWP" credentials.username 2>/dev/null || true)"
export RW_P="$(bash "$VAULT" get-field "$RWP" credentials.password 2>/dev/null || true)"
[ -n "$RW_U" ] && [ -n "$RW_P" ] || { echo "[BLOCKED] --apply needs the RW controller admin vaulted at: $RWP"; exit 2; }
export GC_SITE="$SITE" GC_ACT="$ACT" GC_GROUP="$GROUP" REPO
export GC_ARG0="${POS[0]:-}" GC_ARG1="${POS[1]:-}" GC_ARG2="${POS[2]:-}"
python - <<'PY'
import os,sys,json,ssl,urllib.request,http.cookiejar
H="172.16.3.29";PORT=11443;base=f"https://{H}:{PORT}"
ctx=ssl.create_default_context();ctx.check_hostname=False;ctx.verify_mode=ssl.CERT_NONE
cj=http.cookiejar.CookieJar()
op=urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj),urllib.request.HTTPSHandler(context=ctx))
def call(method,path,body=None,csrf=None,wh=False):
data=json.dumps(body).encode() if body is not None else None
r=urllib.request.Request(base+path,data=data,method=method);r.add_header('Content-Type','application/json')
if csrf:r.add_header('X-CSRF-Token',csrf)
resp=op.open(r,timeout=25);hdr=resp.headers;txt=resp.read().decode('utf-8','replace')
return (txt,hdr) if wh else txt
try:_,hd=call('POST','/api/auth/login',{'username':os.environ['RW_U'],'password':os.environ['RW_P']},wh=True)
except Exception as e:print("[ERROR] login failed:",e);sys.exit(1)
csrf=hd.get('X-CSRF-Token') or hd.get('X-Updated-Csrf-Token')
sites=json.loads(call('GET','/proxy/network/api/self/sites')).get('data',[])
short=next((s['name'] for s in sites if s.get('_id')==os.environ['GC_SITE']),None)
if not short:print("[ERROR] site resolve failed");sys.exit(1)
def S(p):return f"/proxy/network/api/s/{short}{p}"
ACT=os.environ['GC_ACT'];A0=os.environ['GC_ARG0'];A1=os.environ['GC_ARG1'];A2=os.environ['GC_ARG2']
def find(items,key):
for it in items:
if it.get('_id')==key or (it.get('name','').lower()==key.lower()):return it
return None
def save_rollback(tag,obj):
rp=os.path.join(os.environ.get('REPO','.'),'.claude','tmp',f"gw-control-rollback-{short}-{tag}.json")
try:
os.makedirs(os.path.dirname(rp),exist_ok=True);open(rp,'w').write(json.dumps(obj,indent=1))
print(f"[rollback] saved {rp}")
except Exception as e:print("[rollback] save failed:",e)
try:
if ACT.startswith('pf-'):
pfs=json.loads(call('GET',S('/rest/portforward'))).get('data',[])
pf=find(pfs,A0)
if not pf:print(f"[FAIL] port-forward '{A0}' not found");sys.exit(1)
before={k:pf.get(k) for k in ('enabled','dst_port','fwd_port','src')}
save_rollback(f"pf-{pf['_id']}",pf)
if ACT=='pf-delete':
call('DELETE',S(f"/rest/portforward/{pf['_id']}"),csrf=csrf)
print(f"[ok] deleted port-forward '{pf.get('name')}' (was: {before})");sys.exit(0)
if ACT=='pf-disable':pf['enabled']=False
elif ACT=='pf-enable':pf['enabled']=True
elif ACT=='pf-set-ports':
if not A1:print("[FAIL] pf-set-ports needs <dst> [<fwd>]");sys.exit(1)
pf['dst_port']=A1; pf['fwd_port']=(A2 or A1)
elif ACT=='pf-set-src':
pf['src']=('any' if A0 and A1.lower()=='any' else A1) if A1 else 'any'
call('PUT',S(f"/rest/portforward/{pf['_id']}"),pf,csrf=csrf)
after={k:pf.get(k) for k in ('enabled','dst_port','fwd_port','src')}
print(f"[ok] {ACT} '{pf.get('name')}' {before} -> {after}");sys.exit(0)
if ACT in ('fw-disable','fw-enable'):
rules=json.loads(call('GET',S('/rest/firewallrule'))).get('data',[])
r=find(rules,A0)
if not r:print(f"[FAIL] firewall rule '{A0}' not found");sys.exit(1)
save_rollback(f"fw-{r['_id']}",r)
r['enabled']=(ACT=='fw-enable')
call('PUT',S(f"/rest/firewallrule/{r['_id']}"),r,csrf=csrf)
print(f"[ok] {ACT} '{r.get('name')}' [{r.get('ruleset')} #{r.get('rule_index')}] enabled={r['enabled']}");sys.exit(0)
if ACT=='block-ips':
ips=[x.strip() for x in A0.split(',') if x.strip()]
if not ips:print("[FAIL] no IPs");sys.exit(1)
gname=os.environ['GC_GROUP']
groups=json.loads(call('GET',S('/rest/firewallgroup'))).get('data',[])
grp=next((g for g in groups if g.get('name')==gname and g.get('group_type')=='address-group'),None)
if grp:
before=list(grp.get('group_members',[]))
grp['group_members']=sorted(set(before)|set(ips))
save_rollback(f"grp-{grp['_id']}",{'_id':grp['_id'],'group_members':before})
call('PUT',S(f"/rest/firewallgroup/{grp['_id']}"),grp,csrf=csrf)
print(f"[ok] appended {len(ips)} IP(s) to existing group '{gname}' ({len(before)}->{len(grp['group_members'])})")
gid=grp['_id']
else:
ng={'name':gname,'group_type':'address-group','group_members':sorted(set(ips))}
res=json.loads(call('POST',S('/rest/firewallgroup'),ng,csrf=csrf))
gid=res.get('data',[{}])[0].get('_id')
print(f"[ok] created address-group '{gname}' with {len(ips)} IP(s) id={gid}")
# ensure a WAN_IN drop rule referencing the group exists; clone an existing WAN_IN rule's schema
rules=json.loads(call('GET',S('/rest/firewallrule'))).get('data',[])
existing=next((r for r in rules if r.get('name')==f"Block {gname}" and r.get('ruleset')=='WAN_IN'),None)
if existing:
print(f"[ok] WAN_IN drop rule 'Block {gname}' already present (#{existing.get('rule_index')}) -> group updated, nothing else to do")
sys.exit(0)
wanin=[r for r in rules if r.get('ruleset')=='WAN_IN']
idxs=[int(r.get('rule_index',2000)) for r in wanin if str(r.get('rule_index','')).isdigit()]
nidx=max(idxs)+1 if idxs else 2000
tmpl=wanin[0] if wanin else None
if tmpl:
nr={k:v for k,v in tmpl.items() if k not in ('_id','rule_index','name','src_firewallgroup_ids','dst_firewallgroup_ids','src_address','dst_address')}
else:
nr={'ruleset':'WAN_IN','protocol':'all','protocol_match_excepted':False,'logging':False,
'state_new':False,'state_established':False,'state_invalid':False,'state_related':False,
'ipsec':'','src_networkconf_type':'NETv4','dst_networkconf_type':'NETv4','icmp_typename':''}
nr.update({'ruleset':'WAN_IN','rule_index':nidx,'name':f"Block {gname}",'enabled':True,'action':'drop',
'src_firewallgroup_ids':[gid],'dst_firewallgroup_ids':[],'src_address':'','dst_address':''})
res=call('POST',S('/rest/firewallrule'),nr,csrf=csrf)
ok=json.loads(res).get('meta',{}).get('rc')=='ok'
print(f"[{'ok' if ok else 'FAIL'}] WAN_IN drop rule 'Block {gname}' #{nidx} -> group {gid} ({json.loads(res).get('meta')})")
print("[note] verify the new rule's position/precedence in the UI; firewallrule schema is firmware-sensitive.")
sys.exit(0)
print("[ERROR] unhandled action",ACT);sys.exit(1)
except urllib.error.HTTPError as e:
print(f"[FAIL] HTTP {e.code}: {e.read().decode('utf-8','replace')[:300]}");sys.exit(1)
except Exception as e:
print("[FAIL]",e);sys.exit(1)
PY