Shutdown pfSense remotely with a Linux/Bash Script

afasoas · Oct 18, 2015, 5:43 PM

I thought some of you might appreciate this.

I'm using a UPS which is connected to my home server via USB connection. I wanted to make the home server shutdown my pfSense firewall and my managed switch before powering off the the home server itself. It's taken me a couple of hours to work it out, mainly due to CSRF Magic.

Step 1)
Set-up a new user with User Manager. Note the user name and password.

Step 2)
Give the user the following privilege:
WebCfg - Diagnostics: Halt system page

Step 3)
Take a copy of my script, available from GitHub => https://github.com/biscuitNinja/bash/blob/master/shutdownPfSense and save it on the machine from which you want to run it. Make sure it's set to be executable. I'd suggest not making it world readable.

Step 4)
Edit the script changing the first three variables to appropriate values. Obviously the usr and pwd values are those which you noted down in step 1.

Step 5)
Test the script.

As an aside, I have a similar script for backing up my pfSense configuration. In version 2.2.2 that doesn't seemed to be protected by CSRF Magic. Is this intentional?

jimp · Oct 20, 2015, 2:48 PM

That's very over-engineered. It'll work, but there are simpler ways like using ssh directly.

Add a user
Grant user shell access
On your home server, generate an ssh key for the user without a passphrase (or, better, figure out a way to use ssh-agent for the client)
Paste the public SSH key into the pfSense user's account
Install sudo package
Grant user sudo access to /etc/rc.halt

Then just run something like:

ssh myuser@x.x.x.x sudo /etc/rc.halt

No hardcoded passwords, a bit more secure, and no csrf/cookie song-and-dance.

automate · Aug 3, 2019, 12:31 PM

@jimp So I've done exactly this and it just does not work.

ssh nsautomate@192.168.1.254 sudo /etc/rc.halt
sudo: no tty present and no askpass program specified

johnpoz · Aug 3, 2019, 1:53 PM

Just tested this, and works exactly how jimp stated..

Let's see what you did exactly.. Because what I have learned over the years is users say they did X, when it ends up they really did Y.

You set in sudo for no password checkbox right? and /etc/rc.halt as the command they can run

[2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt: sudo /etc/rc.halt
Shutdown NOW!
shutdown: [pid 51717]
                                                                               
*** FINAL System shutdown message from testhalt@pf1.sitea.lan ***            

System going down IMMEDIATELY                                                  

                                                                               

System shutdown time has arrived
[2.4.4-RELEASE][testhalt@pf1.sitea.lan]/home/testhalt:

I didn't bother testing it with just cmd line for the whole thing, but if can ssh with the account using public key and doesn't ask me for password to run the cmd, then could sent it all at once..

happynewguy · Jul 25, 2021, 10:52 AM

Many many thanks for this tutorial!