HEADS UP: NUT package update may require settings change if using remote access

jimp · Sep 5, 2012, 2:45 PM

The NUT package was updated to NUT version 2.6.4 due to CVE-2012-2944 - http://redmine.pfsense.org/issues/2621

Versions of nut after 2.2.x no longer support internal network access restrictions. Instead they now rely on changing the interface binding and firewall rules.

With the new package existing ACLs are no longer used and it will only bind to localhost.

You can add a port forward for TCP port 3493 on the interface of your choice (lan, wan, etc) to localhost:3493 and regain remote access.

Also because the users can't be restricted by host any more, I changed the local status user to use a (somewhat) randomly generated password rather than "mypass" or else someone could have logged in with that (now global) user remotely if a NAT rule was added.

Please upgrade/test the NUT package - it works for me locally for a simple test case - my APC Back-UPS ES 450 is detected and reports fine, but other test cases (various remote access modes and so on) need evaluation.

msi · Sep 5, 2012, 2:43 PM

Hi Jim (actualy me who reported in redmine)

The following UPS/Network card seems being recognized:

UPS Model: Eaton-Powerware 5215 (branded as IBM 3000HV)
Network card: ConnectUPS Web/SNMP card V4.34
Settings: SNMPv1 (v2c doesn't work with these cards), MIB: pw

The panel also says that NUT runs, it reads battery values etc.
I'd just need to do a UPS test somehow to see if it really shuts down. ;)

wishyou · Oct 5, 2012, 8:25 AM

Hi!

I have an APC 1400 SmartUPS on pfSense as a NUT master and three other devices as NUT slaves, and this last upgrade required some modifications. Here is how I did it, it may help others:

First of all I modified the user creation for the local section in nut.inc to create a separate monitor master user in addition to the monitor slave user. For the last one I used the fields from the GUI.
I gave the admin user rights to set properties and run commands as well to allow me to adjust the UPS settings like LB criteria and so on.
Changed the power down flag in nut.inc to /tmp/killpower (as /etc is mounted ro)
Added a test for the power down flag to rc.shutdown and run '/usr/local/libexec/nut/upsdrvctl shutdown' if present
Finally I created the NAT rule described above to then LAN interface.

Everything works like a charm, I can set values, run commands and test shutdown using FSD. All my devices shuts down and starts up as expected.

Wish

nut.inc changes (from line 270):


$password = uniqid("nut");

/* upsd.users */
$upsd_users = "[admin]\n";
$upsd_users .= "password = {$password}\n";
$upsd_users .= "actions = set\n";
$upsd_users .= "actions = fsd\n";
$upsd_users .= "instcmds = all\n";
$upsd_users .= "upsmon master\n";

if($allowpass && $allowuser) {
    $upsd_users .= "\n[$allowuser]\n";
    $upsd_users .= "password = $allowpass\n";
    $upsd_users .= "upsmon slave\n";
}

/* upsmon.conf */
$upsmon_conf = <<<eod<br>MONITOR {$name}@localhost 1 admin {$password} master
MINSUPPLIES 1
SHUTDOWNCMD "/sbin/shutdown {$shutdownflag} +0"
POWERDOWNFLAG /tmp/killpower
EOD;</eod<br>

Added to rc.shutdown before the temp cleanup section:


if (test -f /tmp/killpower)
    then
        echo "Shutting down UPS power..."
        /usr/local/libexec/nut/upsdrvctl shutdown
    fi

wishyou · Oct 9, 2012, 10:52 AM

Quick additional note about testing APC Smart UPS-es with FSD:

Remember that you will have to pull the UPS plug to test everything properly, even when using FSD, as 'shutdown.return' for smart signaling ups-es only work when on battery.

More in the spec: http://grox.net/man/ups/apcsmart.html (See 'S' - Soft shutdown)

Wish

Nachtfalke · Oct 9, 2012, 3:29 PM

Hi,

probably this is a stupid question:
The NUT package is for checking the status of a connected Uninterruptible Power Supply, right?

Tell me if I am wrong but it is only for checing/watching one singe UPS, right?

Is there a possibility to improve this package to allow the user to add more and different UPS? We have different buildings and in every building we have an UPS. All UPS have the ability to be connected to the LAN and I thought it could be a good idea to connect all UPS to the NUT package on pfsense to watch all the UPS at once.

Is this a "limitation" of the GUI or is this a "limitation" on the software itself ?

Thank your for your help!

mbedyn · Nov 1, 2012, 9:06 PM

I also updated nut package, but have problem with upssched right now… :(

upsmon[3752]: UPS monk@127.0.0.1 on battery
upssched[30216]: Timer daemon started
upssched[30216]: Unknown command on socket:
upssched[30216]: arg 0: 15START
upssched[30216]: arg 1: onbatt
upssched[30216]: arg 2: 15
upssched[30215]: read confirmation got [ERR
[/quote]

looks like not only my problem
http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1051099.html

is there any chance to downgrade package?