*SOLVED* Remote Config Backup on v2.0
-
Hi All,
I searched on this topic, and I see that the Remote Configuration Backup issue has been addressed many times, but I cannot find a topic that describes my exact problem.
I'm following the instructions located at http://doc.pfsense.org/index.php/Remote_Config_Backup to write a bash script on a linux box to do the backups of all of my firewalls. So I've got the following script that does the actual backup of a firewall configuration. It receives parameters another script:
Anything in {CurlyBraces} I've substituted out here to sanitize the code for security. :-)
fwbackup.sh
# /bin/bash # Script Syntax: # $1 == SiteID # $2 == FQHN or IP # $3 == PortNumber # $4 == Username # $5 == Password SCRIPTPATH=/root/fwbackups DESTPATH=/root/fwbackups/sites MAILTO={MyEmailAddress} TIMESTAMP=`date +%Y%m%d%H%M%S` echo Trying to back up $1 echo -Login wget -qO/dev/null \ --keep-session-cookies \ --save-cookies $SCRIPTPATH/cookies.txt \ --post-data 'login=Login&usernamefld=$4&passwordfld=$5' \ --no-check-certificate \ --timeout=10 \ https://$2:$3/diag_backup.php echo -Download Config wget --keep-session-cookies \ --load-cookies $SCRIPTPATH/cookies.txt \ --post-data 'Submit=download&donotbackuprrd=yes' \ --no-check-certificate -O $DESTPATH/$1-$TIMESTAMP.xml \ --timeout=10 \ https://$2:$3/diag_backup.php echo -Check Config if [ -e $DESTPATH/$1-$TIMESTAMP.xml ]; then echo Success - pfSense backup - $1|mail -s "Firewall Backup Successful for $1" $MAILTO else echo Failure - pfSense backup - $1|mail -s "Firewall Backup Failed for $1" $MAILTO fiI'm calling the above script for each site with a master script that looks like this:
fwbackupgo.sh
# /bin/bash SCRIPTPATH=/root/fwbackups/fwbackup.sh NOOUT=>/dev/null 2>&1 $SCRIPTPATH site1 site1.companyname.com {SSLPort} {Username} {Password} $NOOUT $SCRIPTPATH site2 site2.companyname.com {SSLPort} {Username} {Password} $NOOUTSo, the issue here is twofold:
-
Of less importance, sometimes the code appears to hang at "-Login". I've checked and this does not appear to be a wget problem. It appears to be a "the firewall stopped responding to HTTPS requests" problem. Any ideas why?
-
The Behemoth issue here is what comes back in the output file, which looks like this:
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> ... <form id="iform" name="login_iform" method="post" action="/diag_backup.php"> Username or Password incorrect Username: Password: Enter username and password to login. </form>If you don't see it already, that's the "Login Failure" page.
I've checked usernames and passwords. They are valid and work if I go there with a real browser and manually log in.
Any thoughts? Anyone else seen this and conquered it?
Thanks, in advance, all!
-
-
OK, so in traditional fashion, after typing something out here, I think I found my own solution…
Problem 1. The unresponsive web interface for the backup turned out to be the WebConfigurator Lockout rule getting in my way. I found this by going to Status -> System Logs -> Firewall. I looked at the blocked log entry coming from my source IP to the firewall's destination IP. I click on the Red Block symbol on the left, and it tells you what rule blocked it. To solve the issue, I removed all of my allow rules from the NAT and Rules tables allowing my external IP in to this firewall, and then I rebooted the firewall under Diagnostics -> Reboot -> Yes. Once the firewall rebooted, I went into the rules table, created a new rule:
Protocol: TCP
Source: {MySourceIP} (I used an alias)
SourcePort: Any
Destination: WAN Address
DestinationPort: {MyAdminPort}
Gateway: Any
Queue: None
Schedule: NoneAnd voila, my linux server can access the firewall Admin port again.
Problem 2: Login failing with wget. This turned out to be stupid simple. Linux doesn't like the apostrophes as delimiters for the POST data. It wants quotes. Rough, huh?
Good luck, and hope this solves it for someone/everyone.