Set up simple http routes to call bash command
-
I'm looking for a way to set up two really basic http routes on my pfSense box (same IP, different port).
I simply wanthttp://192.168.3.1:81/turn_wifi_on
to runcurl http://192.168.2.1?wifi=on&authkey=xxxxxx
andhttp://192.168.3.1:81/turn_wifi_off
should runcurl http://192.168.2.1?wifi=off&authkey=xxxxxx
.Has anyone done something like that before? Is there a simple maybe built-in way in pfsense to do this?
-
You could likely script it but there's nothing built into pfSense to do that, no.
Steve
-
Okay thanks.
It appears that there is a python2 binary available, so I wrote a simple python script to handle this.
I'll share what I did, maybe this is gonna helpful to someone some day:It can be done in 30 simple lines of python using
BaseHTTPServer
andurllib2
which are available pfSense by default:#!/usr/bin/env python2 from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer import urllib2 class myHandler(BaseHTTPRequestHandler): def do_GET(self): url = '' if self.path == '/turn_wifi_on': url = 'http://192.168.2.1?wifi=on&authkey=xxxxxx' elif self.path == '/turn_wifi_off': url = 'http://192.168.2.1?wifi=off&authkey=xxxxxx' else: self.finish() self.connection.close() return status = urllib2.urlopen(url).getcode() self.send_response(status) self.send_header('Content-type','text/html') self.end_headers() if status > 199 and status < 300: self.wfile.write("<b>Success!</b>") else: self.wfile.write("<b>Soemthing went wrong!</b>") server = HTTPServer(('', 8000), myHandler) print "HTTP server is running!" server.serve_forever()
Then I simply wrote a simple rc.d script, and saved that as
/usr/local/etc/rc.d/wifi.sh
:#!/usr/bin/env sh case "$1" in start) python2 /path/to/python/script.py ;; stop) pkill -f script.py ;; *) echo "Usage: /usr/local/etc/rc.d/wifi.sh {start|stop}" exit 1 ;; esac exit 0
I also made it executable (
chmod +x /usr/local/etc/rc.d/wifi.sh
). -
Remember to backup the script....
Likely it won't survive an update -
Or use the Filer package to include it in the config.
Steve
-
Do not use your firewall as a general purpose web server. It's not intended for that, and you are lowering the security of the system as a whole by doing that sort of thing. Especially if you are exposing this kind of thing remotely. And if it's not remote, then why bother? Just hit the local box directly or over VPN.
-
What do you mean by "general purpose web server"? There is literally one purpose here.
I think it's pretty safe, I mean the Python libs are pretty well maintained and everything is pretty static.
Although I have to admit that I should probably run it as a different user or some sort of container.
But it's too much work for me to set that up, so I'm willing to take the risk. -
s/web server/server/ same advice still applies. If anything can hit your GUI port then it can access the other device inside your network.
Sure it might seem convenient, but it's insecure as hell. Doing that on a firewall is a huge risk.
-
Well, that's obvious and that's why I only opened port 8000 and not 80/443. I don't see how opening port 8000 would allow anything to access port 80 or 443. That seems like a stretch to me to be honest.
-
Using any port on the firewall at all for a service like that is the problem. Not the port you chose. But if you are OK with making your firewall insecure and opening up holes in your network, then you do you.
-
How does it make my Firewall insecure? And what do you mean by "service like that"?
-
@nopit said in Set up simple http routes to call bash command:
How does it make my Firewall insecure? And what do you mean by "service like that"?
By exposing a web service located on your firewall as a way to interact with other devices on your LAN is a new vector you've opened up to be exploited. It's not a web service running on a web server, it's a web service you've exposed to the Internet running on your router. By doing this you've lowered the security of your router in a very bad way. You just introduced a new exploit vector on the device that runs your entire network.
pfSense has a job, and it's not to host web services. It is strongly recommended and it's best practice to move the web service to a web server or another appliance designed for that task.
-
Where I come from, there is a difference between "insecure" and "potentially less secure"!
If someone (magically) exploited this, he would get access to my network anyway, no matter if I run this on my PC, NAS or pfSense device. At least the pfSense device doesn't hold any data that I would consider sensitive.
Anyway... I think this is going nowhere. I appreciate your concern, but I don't see anyone exploiting this.