- Added configuration options for requiring human approval before applying LLM-generated MCP patches. - Updated Docker setup to include skills directory. - Integrated skills management into the backend, allowing for procedural guides and skill matching. - Refactored database initialization to apply Alembic migrations. - Enhanced task approval process to handle MCP patch applications with optional approval. - Introduced new schemas for skills and updated existing APIs to support skills functionality. This commit lays the groundwork for improved agent capabilities and better management of MCP development processes.
72 lines
2.3 KiB
Markdown
72 lines
2.3 KiB
Markdown
---
|
|
id: pfsense-change-safe
|
|
name: Safe pfSense changes
|
|
description: >-
|
|
Backup-before-change workflow, evidence capture, and approval gates for
|
|
production firewall/NAT edits on vessel pfSense instances.
|
|
priority: 80
|
|
rule_ids:
|
|
- one-way-audio
|
|
- no-registration
|
|
- list-firewall-rules
|
|
match:
|
|
keywords:
|
|
- firewall rule
|
|
- add rule
|
|
- change nat
|
|
- port forward
|
|
- snat
|
|
- outbound nat
|
|
- modify pfsense
|
|
- fix firewall
|
|
- blocked
|
|
- pass rule
|
|
all_of: []
|
|
---
|
|
|
|
# Safe pfSense changes on vessels
|
|
|
|
## Read before write (always)
|
|
|
|
1. List current state: interfaces, firewall rules, port forwards, outbound NAT.
|
|
2. Identify the **exact gap** with filter.log or rule tracker IDs — not theory.
|
|
3. Capture config backup or export before any write.
|
|
|
|
Agentic OS routes **config-changing fixes** through human approval. Proposed fixes with `is_config_change: true` appear in the task approval queue.
|
|
|
|
## Pre-change checklist
|
|
|
|
- [ ] Confirmed interface names live (`vtnet2` CREW, `vtnet3` Business, etc.)
|
|
- [ ] Identified associated NAT + filter rule pairs
|
|
- [ ] Documented evidence (filter.log line, blocked port/proto, source/dest)
|
|
- [ ] Backup taken or backup tool available
|
|
- [ ] Change is minimal — one rule/NAT entry, not broad "allow all"
|
|
|
|
## Common safe patterns (GeneseasX VoIP)
|
|
|
|
| Fix | Typical rule |
|
|
|-----|--------------|
|
|
| One-way audio | Pass UDP 10000-10029 phone VLAN → shipPortal |
|
|
| RTP SNAT | Outbound NAT for phone subnet RTP to segment VIP |
|
|
| SIP registration | Port-forward UDP 5060 + pass on phone VLAN |
|
|
|
|
## What NOT to do
|
|
|
|
- Do not disable pfSense entirely or add overly broad "any any" rules.
|
|
- Do not assume golden-lab IPs — confirm vessel inventory addresses.
|
|
- Do not list connect/diagnostic steps as `proposed_fixes` — those belong in `steps_taken`.
|
|
|
|
## Report expectations
|
|
|
|
When recommending a change:
|
|
|
|
- Describe **exact** rule (interface, proto, ports, source, dest)
|
|
- Reference evidence from diagnostics already collected
|
|
- Set `is_config_change: true` only for actual pfSense write operations
|
|
- Note if MCP writes require `PFSENSE_ALLOW_WRITES=true` on the MCP server
|
|
|
|
## Post-change verification
|
|
|
|
- Re-test the original symptom (registration, RTP counters, filter.log clean)
|
|
- Upsert a memory record with rule tracker IDs and outcome for future tasks
|