Remotely backing up PFsense Configuration (BASH)
I like PFsense. It's achieved the goal of being a good firewall, allowing complex rules, without being too much of a pain to manage.
However, being a firewall, it does live it's life on the edge exposed to miscreants and users alike, so I like to make sure the configuration is automatically backed up (pulling into a git repo also means you can receive notifications when the config changes)
There isn't an easy and direct route to remotely pull a backup, so this snippet provides functions to allow you to do so from BASH scripts. Because it's effectively reliant on scraping, there is some variation between PFSense versions
Details
- Language: BASH
Snippet
function pfSenseBackup234(){
# Backup for versions >= 2.3.4
# basically needs more POST params than 226
host=$1
user=$2
password=$3
outfile=$4
wget -qO- --keep-session-cookies --save-cookies cookies.txt \
--no-check-certificate https://$host/diag_backup.php \
| grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
wget -qO- --keep-session-cookies --load-cookies cookies.txt \
--save-cookies cookies.txt --no-check-certificate \
--post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
https://$host/diag_backup.php | grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
--post-data "backuparea=&donotbackuprrd=yes&encrypt_password=&download=Download%20configuration%20as%20XML
&restorearea=&decrypt_password=&__csrf_magic=$(cat csrf2.txt)" \
https://$host/diag_backup.php -O "$outfile"
}
function pfSenseBackup226(){
# Backup for versions >= 2.2.6
host=$1
user=$2
password=$3
outfile=$4
wget -qO- --keep-session-cookies --save-cookies cookies.txt \
--no-check-certificate https://$host/diag_backup.php \
| grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt
wget -qO- --keep-session-cookies --load-cookies cookies.txt \
--save-cookies cookies.txt --no-check-certificate \
--post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
https://$host/diag_backup.php | grep "name='__csrf_magic'" \
| sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt
wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
--post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" \
https://$host/diag_backup.php -O "$outfile"
}
function pfSenseBackup(){
# Backup for versions prior to 2.2.6
host=$1
user=$2
password=$3
outfile=$4
wget -qO/dev/null --keep-session-cookies --save-cookies cookies.txt \
--post-data 'login=Login&usernamefld=${user}&passwordfld=${password}' \
--no-check-certificate https://$host/diag_backup.php
wget --keep-session-cookies --load-cookies cookies.txt \
--post-data 'Submit=download&donotbackuprrd=yes' https://$host/diag_backup.php \
--no-check-certificate -O "$outfile"
}
Usage Example
pfSenseBackup234 192.168.1.1 BackupUser 'MySecurePassword' "${DATE}-config.xml"