Remotely backing up PFsense Configuration



Published: 2018-10-03 23:14:04 +0000
Categories: BASH,

Language

BASH

Description

I like PFsense. It's achieved the goal of being a good firewall, allowing complex rules, without being too much of a pain to manage.

However, being a firewall, it does live it's life on the edge exposed to miscreants and users alike, so I like to make sure the configuration is automatically backed up (pulling into a git repo also means you can receive notifications when the config changes)

There isn't an easy and direct route to remotely pull a backup, so this snippet provides functions to allow you to do so from BASH scripts. Because it's effectively reliant on scraping, there is some variation between PFSense versions

Snippet

function pfSenseBackup234(){
# Backup for versions >= 2.3.4
# basically needs more POST params than 226

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "backuparea=&donotbackuprrd=yes&encrypt_password=&download=Download%20configuration%20as%20XML
&restorearea=&decrypt_password=&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup226(){
# Backup for versions >= 2.2.6

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup(){
# Backup for versions prior to 2.2.6
host=$1
user=$2
password=$3
outfile=$4

wget -qO/dev/null --keep-session-cookies --save-cookies cookies.txt \
 --post-data 'login=Login&usernamefld=${user}&passwordfld=${password}' \
 --no-check-certificate https://$host/diag_backup.php
wget --keep-session-cookies --load-cookies cookies.txt \
 --post-data 'Submit=download&donotbackuprrd=yes' https://$host/diag_backup.php \
 --no-check-certificate -O "$outfile"

}

Usage Example

pfSenseBackup234 192.168.1.1 BackupUser 'MySecurePassword' "${DATE}-config.xml"

Requires

Create a new user in PFsense:

  1. System -> User Manager -> Groups -> Add
  2. Create a group and then click Save
  3. Open the group for editing, there should now be an Assigned Privileges section, click Add
  4. Allow WebCfg - Diagnostics: Backup & Restore, then save
  5. Switch to the Users tab, and choose Add
  6. Set Username password etc, and make user a member of your new group
  7. Save
  8. Pass the username and password you set to the functions above

Keywords

PFsense, backup, firewall, script,

Latest Posts


Copyright © 2019 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk, yr4pnhounvdybotb.onion and snippets.6zdgh5a5e6zpchdz.onion