High-risk tools in OPNSense MCP Server
33 of the 196 tools in OPNSense MCP Server are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
acme_renew_certificateExecuteTrigger manual renewal of a specific certificate
-
cli_executeExecuteExecute a CLI command on OPNsense for advanced configuration
-
haproxy_service_controlExecuteControl HAProxy service (start, stop, restart, reload)
-
ids_restartExecuteRestart IDS/IPS service
-
ids_startExecuteStart IDS/IPS service
-
ids_stopExecuteStop IDS/IPS service
-
routing_diagnosticsExecuteRun comprehensive inter-VLAN routing diagnostics
-
ssh_batch_executeExecuteExecute multiple commands in sequence via SSH
-
ssh_executeExecuteExecute arbitrary command via SSH on OPNsense (full CLI access)
-
acme_sign_certificateExecuteIssue/sign a certificate (initial creation or re-issue)
-
cert_letsencrypt_requestExecuteRequest a Let\
-
cli_check_nfsExecuteCheck NFS connectivity from DMZ
-
cli_fix_dmz_routingExecuteComprehensive DMZ routing fix via CLI
-
cli_fix_interface_blockingExecuteFix interface blocking settings via CLI (for DMZ routing issues)
-
cli_reload_firewallExecuteReload firewall rules via CLI
-
ids_block_ipExecuteBlock an IP address detected by IDS
-
macro_playExecutePlay a saved macro
-
nat_quick_fix_dmzExecuteQuick fix for DMZ NAT issue with minimal configuration
-
routing_fix_allExecuteAutomatically fix all detected inter-VLAN routing issues
-
ssh_check_nfs_connectivityExecuteCheck NFS connectivity from OPNsense
-
ssh_fix_dmz_routingExecuteApply comprehensive DMZ routing fix via SSH
-
ssh_fix_interface_blockingExecuteFix interface blocking settings via SSH (resolves DMZ routing issues)
-
ssh_quick_dmz_fixExecuteApply quick DMZ fix (streamlined version)
-
ssh_reload_firewallExecuteReload firewall rules via SSH
-
ssh_test_vlan_connectivityExecuteTest connectivity between VLANs
-
cli_apply_changesExecuteApply all configuration changes via CLI
-
firewall_apply_changesExecuteApply pending firewall changes
-
iac_apply_deploymentExecuteApply a deployment plan
-
iac_plan_deploymentExecutePlan infrastructure deployment changes
-
macro_generate_toolExecuteGenerate an MCP tool definition from a macro
-
nat_apply_changesExecuteApply NAT configuration changes
-
openvpn_disconnect_clientExecuteDisconnect a specific VPN client
-
traffic_apply_changesExecuteApply traffic shaper changes
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.