Remotely backing up PFsense Configuration



Published: 2018-10-03 23:14:04 +0000
Categories: BASH,

Language

BASH

Description

I like PFsense. It's achieved the goal of being a good firewall, allowing complex rules, without being too much of a pain to manage.

However, being a firewall, it does live it's life on the edge exposed to miscreants and users alike, so I like to make sure the configuration is automatically backed up (pulling into a git repo also means you can receive notifications when the config changes)

There isn't an easy and direct route to remotely pull a backup, so this snippet provides functions to allow you to do so from BASH scripts. Because it's effectively reliant on scraping, there is some variation between PFSense versions

Snippet

function pfSenseBackup234(){
# Backup for versions >= 2.3.4
# basically needs more POST params than 226

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "backuparea=&donotbackuprrd=yes&encrypt_password=&download=Download%20configuration%20as%20XML
&restorearea=&decrypt_password=&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup226(){
# Backup for versions >= 2.2.6

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup(){
# Backup for versions prior to 2.2.6
host=$1
user=$2
password=$3
outfile=$4

wget -qO/dev/null --keep-session-cookies --save-cookies cookies.txt \
 --post-data 'login=Login&usernamefld=${user}&passwordfld=${password}' \
 --no-check-certificate https://$host/diag_backup.php
wget --keep-session-cookies --load-cookies cookies.txt \
 --post-data 'Submit=download&donotbackuprrd=yes' https://$host/diag_backup.php \
 --no-check-certificate -O "$outfile"

}

Usage Example

pfSenseBackup234 192.168.1.1 BackupUser 'MySecurePassword' "${DATE}-config.xml"

Requires

Create a new user in PFsense:

  1. System -> User Manager -> Groups -> Add
  2. Create a group and then click Save
  3. Open the group for editing, there should now be an Assigned Privileges section, click Add
  4. Allow WebCfg - Diagnostics: Backup & Restore, then save
  5. Switch to the Users tab, and choose Add
  6. Set Username password etc, and make user a member of your new group
  7. Save
  8. Pass the username and password you set to the functions above

Keywords

PFsense, backup, firewall, script,

Latest Posts

Setting Git author details for a single repo (Git)
Checking Virtual Machine Resource Allocations with Libvirt (BASH)
Rsync over SSH with a custom port (BASH)
Remotely backing up PFsense Configuration (BASH)
FFMPEG: Converting RMVB to X264 MP4 (BASH)
Recursively print table (print_r equivalent) (LUA)
Bulk Delete Comments from (Self-Hosted) JIRA Issues (Misc)
Add a static entry to the ARP table (BASH)
SSL Cipher Hex codes to Human Readable Names (Misc)
Convert Ascii to Binary (BASH)

Copyright © 2019 Ben Tasker | Sitemap | Privacy Policy
Available at snippets.bentasker.co.uk and snippets.6zdgh5a5e6zpchdz.onion