*SOLVED* Remote Config Backup on v2.0



  • Hi All,

    I searched on this topic, and I see that the Remote Configuration Backup issue has been addressed many times, but I cannot find a topic that describes my exact problem.

    I'm following the instructions located at http://doc.pfsense.org/index.php/Remote_Config_Backup to write a bash script on a linux box to do the backups of all of my firewalls. So I've got the following script that does the actual backup of a firewall configuration. It receives parameters another script:

    Anything in {CurlyBraces} I've substituted out here to sanitize the code for security. :-)

    fwbackup.sh

    
    # /bin/bash
    # Script Syntax:
    # $1 == SiteID
    # $2 == FQHN or IP
    # $3 == PortNumber
    # $4 == Username
    # $5 == Password
    
    SCRIPTPATH=/root/fwbackups
    DESTPATH=/root/fwbackups/sites
    MAILTO={MyEmailAddress}
    TIMESTAMP=`date +%Y%m%d%H%M%S`
    
    echo Trying to back up $1
    echo  -Login
    wget -qO/dev/null \
     --keep-session-cookies \
     --save-cookies $SCRIPTPATH/cookies.txt \
     --post-data 'login=Login&usernamefld=$4&passwordfld=$5' \
     --no-check-certificate \
     --timeout=10 \
     https://$2:$3/diag_backup.php
    
    echo  -Download Config
    wget --keep-session-cookies \
     --load-cookies $SCRIPTPATH/cookies.txt \
     --post-data 'Submit=download&donotbackuprrd=yes' \
     --no-check-certificate -O $DESTPATH/$1-$TIMESTAMP.xml \
     --timeout=10 \
     https://$2:$3/diag_backup.php
    
    echo  -Check Config
    if [ -e $DESTPATH/$1-$TIMESTAMP.xml ]; then
      echo Success - pfSense backup - $1|mail -s "Firewall Backup Successful for $1" $MAILTO
    else
       echo Failure - pfSense backup - $1|mail -s "Firewall Backup Failed for $1" $MAILTO
    fi
    
    

    I'm calling the above script for each site with a master script that looks like this:

    fwbackupgo.sh

    
    # /bin/bash
    SCRIPTPATH=/root/fwbackups/fwbackup.sh
    NOOUT=>/dev/null 2>&1
    
    $SCRIPTPATH site1 site1.companyname.com {SSLPort} {Username} {Password} $NOOUT
    $SCRIPTPATH site2 site2.companyname.com {SSLPort} {Username} {Password} $NOOUT
    
    

    So, the issue here is twofold:

    1. Of less importance, sometimes the code appears to hang at "-Login". I've checked and this does not appear to be a wget problem. It appears to be a "the firewall stopped responding to HTTPS requests" problem. Any ideas why?

    2. The Behemoth issue here is what comes back in the output file, which looks like this:

    
            "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    ...
    
    <form id="iform" name="login_iform" method="post"  action="/diag_backup.php">
    
                                    Username or Password incorrect
    
                                             Username:
    
                                             Password:
    
                                             Enter username and password to login. 
    
                            </form>
    
    

    If you don't see it already, that's the "Login Failure" page.

    I've checked usernames and passwords. They are valid and work if I go there with a real browser and manually log in.

    Any thoughts? Anyone else seen this and conquered it?

    Thanks, in advance, all!



  • OK, so in traditional fashion, after typing something out here, I think I found my own solution…

    Problem 1. The unresponsive web interface for the backup turned out to be the WebConfigurator Lockout rule getting in my way. I found this by going to Status -> System Logs -> Firewall. I looked at the blocked log entry coming from my source IP to the firewall's destination IP. I click on the Red Block symbol on the left, and it tells you what rule blocked it. To solve the issue, I removed all of my allow rules from the NAT and Rules tables allowing my external IP in to this firewall, and then I rebooted the firewall under Diagnostics -> Reboot -> Yes. Once the firewall rebooted, I went into the rules table, created a new rule:

    Protocol: TCP
    Source: {MySourceIP} (I used an alias)
    SourcePort: Any
    Destination: WAN Address
    DestinationPort: {MyAdminPort}
    Gateway: Any
    Queue: None
    Schedule: None

    And voila, my linux server can access the firewall Admin port again.

    Problem 2: Login failing with wget. This turned out to be stupid simple. Linux doesn't like the apostrophes as delimiters for the POST data. It wants quotes. Rough, huh?

    Good luck, and hope this solves it for someone/everyone.


Log in to reply