Skip to main content

Governed AI-ops for OPNsense + pfSense firewalls: rules, NAT, aliases, VPN, DHCP, diagnostics, flagship RCA analyses, and governed writes (rule toggle, alias entries, apply/reconfigure/reboot) with a built-in governance harness (audit, budget, undo, risk tiers)

Project description

Firewall AIops (preview)

Governed, audited AI-ops for OPNsense and pfSense firewalls — for AI agents (via MCP) and humans (via CLI).

Disclaimer: Community-maintained open-source project. Not affiliated with, endorsed by, or sponsored by the OPNsense project, Deciso, Netgate, or the pfSense project. OPNsense, pfSense and Netgate are trademarks of their respective owners. MIT licensed.

firewall-aiops speaks to two firewall platforms behind one MCP server — OPNsense (REST API under /api/..., API key+secret via HTTP Basic auth) and pfSense (REST API v2 under /api/v2/... from the pfSense-pkg-RESTAPI package, API key via an X-API-Key header) — with the same tools working on both. Each target in the config names its own platform; a name-keyed platform registry selects the API shape (auth + resource paths), so an agent never has to know which firewall it is talking to.

Every tool runs through a built-in governance harness (vendored, zero external dependency): audit log, token/call budget with runaway circuit-breaker, graduated risk-tier approval, undo-token recording, and prompt-injection sanitisation.

Why this exists

  • One server, both firewalls — OPNsense and pfSense in a mixed estate, spoken to through identical tool names. Adding a third firewall later is a new platform descriptor, not a rewrite.
  • Read the whole firewall — firmware/health, interfaces & gateways, filter rules (with hit counts and state table), NAT (port-forward / outbound / 1:1), aliases, VPN (WireGuard / OpenVPN / IPsec), DHCP leases & reservations, and the firewall log.
  • Flagship RCA analyses — transparent heuristics that show their numbers, never a black-box verdict: gateway_health_rca (WAN loss/latency/down → cause + action), rule_hit_and_shadow_analysis (never-hit + shadowed/redundant rules), and blocked_traffic_rca (top blocked sources/ports → scan / brute-force / probe).
  • Governed writes — toggle a rule, add/remove an alias entry (reversible, undo-recorded from the fetched before-state), flush states, restart a service, and the "make it live" commit (apply_changes / reconfigure) and reboot at risk=high with a dry-run preview and an approver gate.

Tool inventory (32 tools)

Domain Tools # Kind
System firmware_status, health_status, interface_status, gateway_status 4 read
Rules list_rules, rule_detail, rule_stats, rule_states 4 read
NAT nat_port_forwards, nat_outbound, nat_one_to_one 3 read
Aliases list_aliases, alias_entries 2 read
VPN wireguard_status, openvpn_sessions, ipsec_sas 3 read
DHCP dhcp_leases, dhcp_static_mappings 2 read
Diagnostics firewall_log, states_table, top_talkers 3 read
Flagship analyses gateway_health_rca, rule_hit_and_shadow_analysis, blocked_traffic_rca 3 read
Writes toggle_rule, add_alias_entry, remove_alias_entry, kill_states, restart_service 5 write (med)
Writes apply_changes, reconfigure, reboot 3 write (high)

Reversible writes record an inverse undo descriptor built from the real fetched before-state (toggle_rule restores the rule's prior enabled flag; alias add/remove invert). apply_changes / reconfigure / reboot are high-risk with dry_run + an approver requirement; reboot is irreversible (audit only).

Install

uv tool install firewall-aiops        # or: pipx install firewall-aiops

Quick start

firewall-aiops init                     # wizard: pick platform (opnsense/pfsense) + store the secret (encrypted)
firewall-aiops doctor                   # verify config, secrets, and connectivity
firewall-aiops overview                 # one-shot: version + gateway/interface health + rule count
firewall-aiops rules list               # list filter rules
firewall-aiops rules toggle <uuid> --disable   # dry-run + double-confirm governed write
firewall-aiops log --action block -n 50 # recent blocked traffic

Run the MCP server (stdio) for an agent:

firewall-aiops mcp                      # or: firewall-aiops-mcp

MCP client config

{
  "mcpServers": {
    "firewall-aiops": {
      "command": "uvx",
      "args": ["--from", "firewall-aiops", "firewall-aiops-mcp"],
      "env": { "FIREWALL_AIOPS_MASTER_PASSWORD": "your-master-password" }
    }
  }
}

Configuration

~/.firewall-aiops/config.yaml (non-secret connection details only):

targets:
  - name: fw1
    platform: opnsense       # opnsense | pfsense
    host: 192.0.2.1
    port: 443
    username: <opnsense-api-key>   # OPNsense API key (unused for pfSense)
    verify_ssl: false        # false for self-signed lab certs
  - name: edge
    platform: pfsense
    host: 192.0.2.2
    verify_ssl: false

The secret — the OPNsense API secret (paired with the key for HTTP Basic auth) or the pfSense API key — is stored encrypted in ~/.firewall-aiops/secrets.enc (Fernet + scrypt-derived key), never plaintext on disk. Set it with firewall-aiops secret set <target> or the init wizard. The store is unlocked by a master password from FIREWALL_AIOPS_MASTER_PASSWORD (non-interactive/MCP/CI) or an interactive prompt (CLI on a TTY). A legacy plaintext env var FIREWALL_<TARGET>_SECRET is honoured as a fallback (migrate with firewall-aiops secret migrate).

Governance

Every MCP tool is wrapped by @governed_tool:

  • Audit — every call is logged to ~/.firewall-aiops/audit.db (tool, params with secrets redacted, status, duration, risk tier, approver, rationale).
  • Budget / runaway guard — per-process token/call caps and a repeat-call circuit breaker (FIREWALL_MAX_TOOL_CALLS, FIREWALL_RUNAWAY_MAX, …).
  • Graduated risk tiers — high-risk writes (apply_changes, reconfigure, reboot) require an approver: set FIREWALL_AUDIT_APPROVED_BY (and FIREWALL_AUDIT_RATIONALE) before they will run.
  • Undo recording — reversible writes record an inverse descriptor to ~/.firewall-aiops/undo.db from the fetched before-state (recording only; an external orchestrator executes it).
  • Sanitisation — all firewall-returned text is bounded + injection-sanitised before it reaches the agent.

Preview status

  • Platforms: OPNsense (REST API) and pfSense (REST API v2, pfSense-pkg-RESTAPI).
  • Preview — mock-validated only. Not run against a live firewall. All behaviour is validated against mocked OPNsense/pfSense JSON responses; the concrete REST paths are modelled from each project's public API and need live verification. Both platforms are free and self-hostable (OPNsense is fully open-source; pfSense CE is free), so a home lab is the easiest live check — firewall-aiops doctor (a firmware/version query on both) is the fastest connectivity check.
  • Missing a capability? Open an issue or PR at github.com/AIops-tools/Firewall-AIops — contributions and feedback welcome.

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

firewall_aiops-0.2.0.tar.gz (152.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

firewall_aiops-0.2.0-py3-none-any.whl (88.2 kB view details)

Uploaded Python 3

File details

Details for the file firewall_aiops-0.2.0.tar.gz.

File metadata

  • Download URL: firewall_aiops-0.2.0.tar.gz
  • Upload date:
  • Size: 152.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for firewall_aiops-0.2.0.tar.gz
Algorithm Hash digest
SHA256 74dfc07cc740ecee76b50613a62fbc7bf339c54faf825a0a10d30cd5cb6263ab
MD5 bf159bbc8965e9702550d560f5f3f2b4
BLAKE2b-256 8b963e8b6cdd1236e7b297a80d46a350694dfb73d53078ab2370b6a48b7f6079

See more details on using hashes here.

Provenance

The following attestation bundles were made for firewall_aiops-0.2.0.tar.gz:

Publisher: publish.yml on AIops-tools/Firewall-AIops

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file firewall_aiops-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: firewall_aiops-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 88.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for firewall_aiops-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 3a5ed8afcf77c12e2204721a4d071a2f05cc764807a2c5e48b813206227bc06b
MD5 98be8f82e663cbea40dd6cbf81675936
BLAKE2b-256 a2eb92f117569d062f00f128fc47c3968bdd807098fb3c96f393795742eb100b

See more details on using hashes here.

Provenance

The following attestation bundles were made for firewall_aiops-0.2.0-py3-none-any.whl:

Publisher: publish.yml on AIops-tools/Firewall-AIops

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page