Remotely backing up PFsense Configuration (BASH)

Ben Tasker

2018-10-03 23:14

Category: BASH

I like PFsense. It's achieved the goal of being a good firewall, allowing complex rules, without being too much of a pain to manage.

However, being a firewall, it does live it's life on the edge exposed to miscreants and users alike, so I like to make sure the configuration is automatically backed up (pulling into a git repo also means you can receive notifications when the config changes)

There isn't an easy and direct route to remotely pull a backup, so this snippet provides functions to allow you to do so from BASH scripts. Because it's effectively reliant on scraping, there is some variation between PFSense versions

Details

Language: BASH

Snippet

function pfSenseBackup234(){
# Backup for versions >= 2.3.4
# basically needs more POST params than 226

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "backuparea=&donotbackuprrd=yes&encrypt_password=&download=Download%20configuration%20as%20XML
&restorearea=&decrypt_password=&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup226(){
# Backup for versions >= 2.2.6

host=$1
user=$2
password=$3
outfile=$4

wget -qO- --keep-session-cookies --save-cookies cookies.txt \
  --no-check-certificate https://$host/diag_backup.php \
  | grep "name='__csrf_magic'" | sed 's/.*value="\(.*\)".*/\1/' > csrf.txt

wget -qO- --keep-session-cookies --load-cookies cookies.txt \
  --save-cookies cookies.txt --no-check-certificate \
  --post-data "login=Login&usernamefld=${user}&passwordfld=${password}&__csrf_magic=$(cat csrf.txt)" \
  https://$host/diag_backup.php  | grep "name='__csrf_magic'" \
  | sed 's/.*value="\(.*\)".*/\1/' > csrf2.txt

wget --keep-session-cookies --load-cookies cookies.txt --no-check-certificate \
  --post-data "Submit=download&donotbackuprrd=yes&__csrf_magic=$(cat csrf2.txt)" \
  https://$host/diag_backup.php -O "$outfile"

}

function pfSenseBackup(){
# Backup for versions prior to 2.2.6
host=$1
user=$2
password=$3
outfile=$4

wget -qO/dev/null --keep-session-cookies --save-cookies cookies.txt \
 --post-data 'login=Login&usernamefld=${user}&passwordfld=${password}' \
 --no-check-certificate https://$host/diag_backup.php
wget --keep-session-cookies --load-cookies cookies.txt \
 --post-data 'Submit=download&donotbackuprrd=yes' https://$host/diag_backup.php \
 --no-check-certificate -O "$outfile"

}

Usage Example

pfSenseBackup234 192.168.1.1 BackupUser 'MySecurePassword' "${DATE}-config.xml"