Set up simple http routes to call bash command

NopIt

Okay thanks.

It appears that there is a python2 binary available, so I wrote a simple python script to handle this.
I'll share what I did, maybe this is gonna helpful to someone some day:

It can be done in 30 simple lines of python using BaseHTTPServer and urllib2 which are available pfSense by default:

#!/usr/bin/env python2
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
import urllib2

class myHandler(BaseHTTPRequestHandler):
    def do_GET(self):
        url = ''
        if self.path == '/turn_wifi_on':
            url = 'http://192.168.2.1?wifi=on&authkey=xxxxxx'
        elif self.path == '/turn_wifi_off':
            url = 'http://192.168.2.1?wifi=off&authkey=xxxxxx'
        else:
            self.finish()
            self.connection.close()
            return

        status = urllib2.urlopen(url).getcode()
        self.send_response(status)
        self.send_header('Content-type','text/html')
        self.end_headers()

        if status > 199 and status < 300:
            self.wfile.write("<b>Success!</b>")
        else:
            self.wfile.write("<b>Soemthing went wrong!</b>")

server = HTTPServer(('', 8000), myHandler)
print "HTTP server is running!"

server.serve_forever()

Then I simply wrote a simple rc.d script, and saved that as /usr/local/etc/rc.d/wifi.sh:

#!/usr/bin/env sh
case "$1" in
  start)
    python2 /path/to/python/script.py
    ;;
  stop)
    pkill -f script.py
    ;;
  *)
    echo "Usage: /usr/local/etc/rc.d/wifi.sh {start|stop}"
    exit 1
    ;;
esac

exit 0

I also made it executable (chmod +x /usr/local/etc/rc.d/wifi.sh).

heper

Remember to backup the script....
Likely it won't survive an update

stephenw10

Or use the Filer package to include it in the config.

Steve

jimp

Do not use your firewall as a general purpose web server. It's not intended for that, and you are lowering the security of the system as a whole by doing that sort of thing. Especially if you are exposing this kind of thing remotely. And if it's not remote, then why bother? Just hit the local box directly or over VPN.

NopIt

What do you mean by "general purpose web server"? There is literally one purpose here.
I think it's pretty safe, I mean the Python libs are pretty well maintained and everything is pretty static.
Although I have to admit that I should probably run it as a different user or some sort of container.
But it's too much work for me to set that up, so I'm willing to take the risk.

jimp

s/web server/server/ same advice still applies. If anything can hit your GUI port then it can access the other device inside your network.

Sure it might seem convenient, but it's insecure as hell. Doing that on a firewall is a huge risk.

NopIt

Well, that's obvious and that's why I only opened port 8000 and not 80/443. I don't see how opening port 8000 would allow anything to access port 80 or 443. That seems like a stretch to me to be honest.

jimp

Using any port on the firewall at all for a service like that is the problem. Not the port you chose. But if you are OK with making your firewall insecure and opening up holes in your network, then you do you.

NopIt

How does it make my Firewall insecure? And what do you mean by "service like that"?

tim.mcmanus

@nopit said in Set up simple http routes to call bash command:

How does it make my Firewall insecure? And what do you mean by "service like that"?

By exposing a web service located on your firewall as a way to interact with other devices on your LAN is a new vector you've opened up to be exploited. It's not a web service running on a web server, it's a web service you've exposed to the Internet running on your router. By doing this you've lowered the security of your router in a very bad way. You just introduced a new exploit vector on the device that runs your entire network.

pfSense has a job, and it's not to host web services. It is strongly recommended and it's best practice to move the web service to a web server or another appliance designed for that task.

NopIt

Where I come from, there is a difference between "insecure" and "potentially less secure"!
If someone (magically) exploited this, he would get access to my network anyway, no matter if I run this on my PC, NAS or pfSense device. At least the pfSense device doesn't hold any data that I would consider sensitive.
Anyway... I think this is going nowhere. I appreciate your concern, but I don't see anyone exploiting this.