Shutdown pfSense remotely with a Linux/Bash Script
I thought some of you might appreciate this.
I'm using a UPS which is connected to my home server via USB connection. I wanted to make the home server shutdown my pfSense firewall and my managed switch before powering off the the home server itself. It's taken me a couple of hours to work it out, mainly due to CSRF Magic.
Set-up a new user with User Manager. Note the user name and password.
Give the user the following privilege:
WebCfg - Diagnostics: Halt system page
Take a copy of my script, available from GitHub => https://github.com/biscuitNinja/bash/blob/master/shutdownPfSense and save it on the machine from which you want to run it. Make sure it's set to be executable. I'd suggest not making it world readable.
Edit the script changing the first three variables to appropriate values. Obviously the usr and pwd values are those which you noted down in step 1.
Test the script.
As an aside, I have a similar script for backing up my pfSense configuration. In version 2.2.2 that doesn't seemed to be protected by CSRF Magic. Is this intentional?
That's very over-engineered. It'll work, but there are simpler ways like using ssh directly.
- Add a user
- Grant user shell access
- On your home server, generate an ssh key for the user without a passphrase (or, better, figure out a way to use ssh-agent for the client)
- Paste the public SSH key into the pfSense user's account
- Install sudo package
- Grant user sudo access to /etc/rc.halt
Then just run something like:
ssh firstname.lastname@example.org sudo /etc/rc.halt
No hardcoded passwords, a bit more secure, and no csrf/cookie song-and-dance.
@jimp So I've done exactly this and it just does not work.
ssh email@example.com sudo /etc/rc.halt
sudo: no tty present and no askpass program specified
Just tested this, and works exactly how jimp stated..
Let's see what you did exactly.. Because what I have learned over the years is users say they did X, when it ends up they really did Y.
You set in sudo for no password checkbox right? and /etc/rc.halt as the command they can run
[2.4.4-RELEASE][firstname.lastname@example.org]/home/testhalt: sudo /etc/rc.halt Shutdown NOW! shutdown: [pid 51717] *** FINAL System shutdown message from email@example.com *** System going down IMMEDIATELY System shutdown time has arrived [2.4.4-RELEASE][firstname.lastname@example.org]/home/testhalt:
I didn't bother testing it with just cmd line for the whole thing, but if can ssh with the account using public key and doesn't ask me for password to run the cmd, then could sent it all at once..