• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HEADS UP: NUT package update may require settings change if using remote access

Scheduled Pinned Locked Moved pfSense Packages
6 Posts 5 Posters 11.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    jimp Rebel Alliance Developer Netgate
    last edited by Sep 5, 2012, 2:45 PM Sep 5, 2012, 2:03 PM

    The NUT package was updated to NUT version 2.6.4 due to CVE-2012-2944 - http://redmine.pfsense.org/issues/2621

    Versions of nut after 2.2.x no longer support internal network access restrictions. Instead they now rely on changing the interface binding and firewall rules.

    With the new package existing ACLs are no longer used and it will only bind to localhost.

    You can add a port forward for TCP port 3493 on the interface of your choice (lan, wan, etc) to localhost:3493 and regain remote access.

    Also because the users can't be restricted by host any more, I changed the local status user to use a (somewhat) randomly generated password rather than "mypass" or else someone could have logged in with that (now global) user remotely if a NAT rule was added.

    Please upgrade/test the NUT package - it works for me locally for a simple test case - my APC Back-UPS ES 450 is detected and reports fine, but other test cases (various remote access modes and so on) need evaluation.

    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

    Need help fast? Netgate Global Support!

    Do not Chat/PM for help!

    1 Reply Last reply Reply Quote 0
    • M
      msi
      last edited by Sep 5, 2012, 2:43 PM

      Hi Jim (actualy me who reported in redmine)

      The following UPS/Network card seems being recognized:

      • UPS Model: Eaton-Powerware 5215 (branded as IBM 3000HV)

      • Network card: ConnectUPS Web/SNMP card V4.34

      • Settings: SNMPv1 (v2c doesn't work with these cards), MIB: pw

      The panel also says that NUT runs, it reads battery values etc.
      I'd just need to do a UPS test somehow to see if it really shuts down. ;)

      1 Reply Last reply Reply Quote 0
      • W
        wishyou
        last edited by Oct 5, 2012, 8:25 AM

        Hi!

        I have an APC 1400 SmartUPS on pfSense as a NUT master and three other devices as NUT slaves, and this last upgrade required some modifications. Here is how I did it, it may help others:

        • First of all I modified the user creation for the local section in nut.inc to create a separate monitor master user in addition to the monitor slave user. For the last one I used the fields from the GUI.

        • I gave the admin user rights to set properties and run commands as well to allow me to adjust the UPS settings like LB criteria and so on.

        • Changed the power down flag in nut.inc to /tmp/killpower (as /etc is mounted ro)

        • Added a test for the power down flag to rc.shutdown and run '/usr/local/libexec/nut/upsdrvctl shutdown' if present

        • Finally I created the NAT rule described above to then LAN interface.

        Everything works like a charm, I can set values, run commands and test shutdown using FSD. All my devices shuts down and starts up as expected.

        Wish

        nut.inc changes (from line 270):

        
        $password = uniqid("nut");
        
        /* upsd.users */
        $upsd_users = "[admin]\n";
        $upsd_users .= "password = {$password}\n";
        $upsd_users .= "actions = set\n";
        $upsd_users .= "actions = fsd\n";
        $upsd_users .= "instcmds = all\n";
        $upsd_users .= "upsmon master\n";
        
        if($allowpass && $allowuser) {
            $upsd_users .= "\n[$allowuser]\n";
            $upsd_users .= "password = $allowpass\n";
            $upsd_users .= "upsmon slave\n";
        }
        
        /* upsmon.conf */
        $upsmon_conf = <<<eod<br>MONITOR {$name}@localhost 1 admin {$password} master
        MINSUPPLIES 1
        SHUTDOWNCMD "/sbin/shutdown {$shutdownflag} +0"
        POWERDOWNFLAG /tmp/killpower
        EOD;</eod<br> 
        

        Added to rc.shutdown before the temp cleanup section:

        
        if (test -f /tmp/killpower)
            then
                echo "Shutting down UPS power..."
                /usr/local/libexec/nut/upsdrvctl shutdown
            fi
        
        
        1 Reply Last reply Reply Quote 0
        • W
          wishyou
          last edited by Oct 9, 2012, 10:52 AM

          Quick additional note about testing APC Smart UPS-es with FSD:

          Remember that you will have to pull the UPS plug to test everything properly, even when using FSD, as 'shutdown.return' for smart signaling ups-es only work when on battery.

          More in the spec: http://grox.net/man/ups/apcsmart.html (See 'S' - Soft shutdown)

          Wish

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by Oct 9, 2012, 3:29 PM

            Hi,

            probably this is a stupid question:
            The NUT package is for checking the status of a connected Uninterruptible Power Supply, right?

            Tell me if I am wrong but it is only for checing/watching one singe UPS, right?

            Is there a possibility to improve this package to allow the user to add more and different UPS? We have different buildings and in every building we have an UPS. All UPS have the ability to be connected to the LAN and I thought it could be a good idea to connect all UPS to the NUT package on pfsense to watch all the UPS at once.

            Is this a "limitation" of the GUI or is this a "limitation" on the software itself ?

            Thank your for your help!

            1 Reply Last reply Reply Quote 0
            • M
              mbedyn
              last edited by Nov 1, 2012, 9:06 PM

              I also updated nut package, but have problem with upssched right now… :(

              upsmon[3752]: UPS monk@127.0.0.1 on battery
              upssched[30216]: Timer daemon started
              upssched[30216]: Unknown command on socket:
              upssched[30216]: arg 0: 15START
              upssched[30216]: arg 1: onbatt
              upssched[30216]: arg 2: 15
              upssched[30215]: read confirmation got [ERR
              [/quote]

              looks like not only my problem
              http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg1051099.html

              is there any chance to downgrade package?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received