"Proper" pfSense backup script

abb — Sat, 29 Oct 2011 20:01:31 +0000

Well, maybe the title is a bit ambitions, but at least the script below is is an improvement comparing to these two approaches: 1 and 2:
* It validates server-side certificate instead of ignoring them
* Logs out to invalidate the session cookie and wipes the temporary file used to store it
* Does not fetch whole bulk of RRD data

#!/bin/sh -e

user=***
password=***
host=***

cacert=$host-cacert.pem
cfgfile=$host-`date +%Y%m%d%H%M%S`.xml

cookiejar=`mktemp`

## authenticate and save session cookie
wget -q -O /dev/null --keep-session-cookies --save-cookies $cookiejar \
--post-data "login=Login&usernamefld=$user&passwordfld=$password" \
--ca-certificate $cacert https://$host/

## download the config
wget -q --load-cookies $cookiejar \
--post-data 'Submit=download&donotbackuprrd=on' -O $cfgfile \
--ca-certificate $cacert https://$host/diag_backup.php

## logout to invalidate session cookie
wget -q -O /dev/null --load-cookies $cookiejar \
--ca-certificate $cacert https://$host/index.php?logout

## erase session cookie
rm $cookiejar

To use it:
1. Make your firewall use non-default certificate. It is easy to generate a certificate in pfSense with its built-in CA. Make sure CN of the new certificate matches IP/hostname you will use to access the firewall.
2. Make CA certificate in PEM format available to this script ($host-cacert.pem file).
2. Optional: create lower-privileged user for backup retrieval, it only needs access to "Diag/Backup-Restore" page.
3. Set user/password/host parameters.

The script might be improved by adding config encryption. Should be useful because the configs apparenly carry unsalted MD5 password hashes.

abb Sat, 10/29/2011 - 22:01

pfsense config backup

"Proper" pfSense backup script