Most recent edit on 2007-11-22 02:07:35 by ChrisBuechler
Additions:
Recording a session
Playing back a session
Deletions:
Recording a session
Playing back a session
Edited on 2007-11-22 02:07:05 by ChrisBuechler
Additions:
Executing Shell Commands
you can do stuff like:
pfSense shell: = killall pftpx
No matching processes were found
Recording and Playback
For example check out this sessions which
automates a number of commands that I was having to type over and over
to kill off all ftp helpers and then reset the ftp helper state.
After you type those sets of commands in 5+ times it gets old quick.
Record and playback to the rescue...
Recording a session
# /usr/local/sbin/pfSsh.php
Welcome to the pfSense php shell system
Written by Scott Ullrich (sullrich@gmail.com)
Type "help" to show common usage scenarios.
pfSense shell: record restartftp
Recording of restartftp started.
pfSense shell: = killall ftp-proxy
No matching processes were found
pfSense shell: = killall pftpx
No matching processes were found
pfSense shell: = killall ftpsesame
No matching processes were found
pfSense shell: system_start_ftp_helpers();
pfSense shell: = ps awux | grep "pftpx|ftp-proxy"
root 93075 0.0 0.4 1716 992 p0 S+ 7:35PM 0:00.01 sh -c
ps awux | grep "pftpx|ftp-proxy"
root 93274 0.0 0.4 1716 992 p0 R+ 7:35PM 0:00.00 sh -c
ps awux | grep "pftpx|ftp-proxy"
pfSense shell: stoprecording
Recording stopped.
pfSense shell: exit
Playing back a session
# /usr/local/sbin/pfSsh.php
Welcome to the pfSense php shell system
Written by Scott Ullrich (sullrich@gmail.com)
Type "help" to show common usage scenarios.
pfSense shell: playback restartftp
Playback of file restartftp started.
pfSense shell: = killall ftp-proxy
pfSense shell: = killall pftpx
No matching processes were found
pfSense shell: = killall ftpsesame
No matching processes were found
pfSense shell: system_start_ftp_helpers();
pfSense shell: = ps awux | grep "pftpx|ftp-proxy"
root 9301 0.0 0.4 1716 992 p0 S+ 7:35PM 0:00.01 sh -c
ps awux | grep "pftpx|ftp-proxy"
root 9759 0.0 0.3 1524 624 p0 R+ 7:35PM 0:00.01 grep
pftpx|ftp-proxy
pfSense shell: exit
Oldest known version of this page was edited on 2007-08-18 23:22:07 by ChrisBuechler []
Page view:
Using The PHP pfSense Shell
Using the PHP pfSense shell can allow you to configure the config.xml file directly without needing to use the webConfigurator. Using this system can allow you to rapidly deploy pfSense and or setup exotic configurations in situations such as a 1 port WRAP2B with 2 wireless nics.
The following will show an example session. Please note that the /* */ items are comments.
* * * Welcome to pfSense 1.2-BETA-1-TESTING-SNAPSHOT-04-30-07-pfSense on pfSense * * *
LAN -> ed0 -> 192.168.1.20
WAN -> ed1 -> 10.0.250.243(DHCP)
= = = = pfSense console setup = = = =
0) Logout (SSH only)
1) Assign Interfaces
2) Set LAN IP address
3) Reset webConfigurator password
4) Reset to factory defaults
5) Reboot system
6) Halt system
7) Ping host
8) Shell
9) PFtop
10) Filter Logs
11) Restart webConfigurator
12) pfSense PHP shell
13) Upgrade from console
Enter an option: 12
Starting the pfSense shell system...............
Example commands:
/* to output a configuration array */
print_r($config);
/* to output the interfaces configuration portion of the configuration */
print_r($config['interfaces']);
/* to output the dhcp server configuration */
print_r($config['dhcpd']);
/* to enable multiline input mode */
multiline
/* to exit the php pfSense shell */
exit
/* to output supported wireless modes for an interface */
print_r(get_wireless_modes("ath0"));
/* to enable SSH */
$config['system']['enablesshd'] = true;
/* change OPTX to the OPT interface name such as BACKHAUL */
$config['interfaces']['optx']['wireless']['standard'] = "11a";
$config['interfaces']['optx']['wireless']['mode'] = "hostap";
$config['interfaces']['optx']['wireless']['channel'] = "6";
/* to enable an interface and set a static ip address */
$config['dhcpd']['optx']['enable'] = true;
$config['dhcpd']['optx']['range']['from'] = "192.168.31.100";
$config['dhcpd']['optx']['range']['to'] = "192.168.31.150";
/* to disable the firewall filter */
$config['system']['disablefilter'] = true;
/* to enable an interface and set it for dhcp */
$config['interfaces']['optx']['disabled'] = false;
$config['interfaces']['optx']['ipaddr'] = "dhcp";
$config['interfaces']['optx']['subnet'] = "24";
/* to enable an interface and set a static ip address */
$config['interfaces']['wan']['disabled'] = false;
$config['interfaces']['wan']['ipaddr'] = "192.168.100.1";
$config['interfaces']['wan']['subnet'] = "24";
/* to reboot */
system_reboot_sync();
/* to save out the new configuration (config.xml) */
write_config("Saving out custom settings from php pfSense shell");
pfSense shell> multiline
multiline mode enabled. enter EOF on a blank line to execute.
pfSense multiline shell[1]> $config['interfaces']['wan']['disabled'] = false;
pfSense multiline shell[2]> $config['interfaces']['wan']['ipaddr'] = "192.168.100.1";
pfSense multiline shell[3]> $config['interfaces']['wan']['subnet'] = "24";
pfSense multiline shell[4]> write_config();
pfSense multiline shell[5]> EOF
/* The above will set the wan up with an IP address of 192.168.100.1 / 255.255.255.0 */
/* this will reboot the system after writing the configuration from above */
pfSense shell> system_reboot_sync();
END OF EXAMPLE
And finally here is a sample config.xml which is the stock configuration shipped with 1.2-BETA-1
<?xml version="1.0"?>
<!-- pfSense default system configuration -->
<pfsense>
<version>2.9</version>
<lastchange></lastchange>
<theme>nervecenter</theme>
<system>
<optimization>normal</optimization>
<hostname>pfSense</hostname>
<domain>local</domain>
<dnsserver></dnsserver>
<dnsallowoverride/>
<username>admin</username>
<password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
<timezone>Etc/UTC</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
<webgui>
<protocol>http</protocol>
<!--
<port></port>
<certificate></certificate>
<private-key></private-key>
<noassigninterfaces/>
<expanddiags/>
<noantilockout></noantilockout>
-->
</webgui>
<disablenatreflection>yes</disablenatreflection>
<!-- <disableconsolemenu/> -->
<!-- <disablefirmwarecheck/> -->
<!-- <shellcmd></shellcmd> -->
<!-- <earlyshellcmd></earlyshellcmd> -->
<!-- <harddiskstandby></harddiskstandby> -->
</system>
<interfaces>
<lan>
<if>sis0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<media></media>
<mediaopt></mediaopt>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<!--
<wireless>
*see below (opt[n])*
</wireless>
-->
</lan>
<wan>
<if>sis1</if>
<mtu></mtu>
<ipaddr>dhcp</ipaddr>
<!-- *or* ipv4-address *or* 'pppoe' *or* 'pptp' *or* 'bigpond' -->
<subnet></subnet>
<gateway></gateway>
<blockpriv/>
<disableftpproxy/>
<dhcphostname></dhcphostname>
<media></media>
<mediaopt></mediaopt>
<bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<!--
<wireless>
*see below (opt[n])*
</wireless>
-->
</wan>
<!--
<opt[n]>
<enable/>
<descr></descr>
<if></if>
<ipaddr></ipaddr>
<subnet></subnet>
<media></media>
<mediaopt></mediaopt>
<bridge>lan|wan|opt[n]</bridge>
<wireless>
<mode>hostap *or* bss *or* ibss</mode>
<ssid></ssid>
<channel></channel>
<wep>
<enable/>
<key>
<txkey/>
<value></value>
</key>
</wep>
</wireless>
</opt[n]>
-->
</interfaces>
<!--
<vlans>
<vlan>
<tag></tag>
<if></if>
<descr></descr>
</vlan>
</vlans>
-->
<staticroutes>
<!--
<route>
<interface>lan|opt[n]|pptp</interface>
<network>xxx.xxx.xxx.xxx/xx</network>
<gateway>xxx.xxx.xxx.xxx</gateway>
<descr></descr>
</route>
-->
</staticroutes>
<pppoe>
<username></username>
<password></password>
<provider></provider>
<!--
<ondemand/>
<timeout></timeout>
-->
</pppoe>
<pptp>
<username></username>
<password></password>
<local></local>
<subnet></subnet>
<remote></remote>
<!--
<ondemand/>
<timeout></timeout>
-->
</pptp>
<bigpond>
<username></username>
<password></password>
<authserver></authserver>
<authdomain></authdomain>
<minheartbeatinterval></minheartbeatinterval>
</bigpond>
<dyndns>
<!-- <enable/> -->
<type>dyndns</type>
<username></username>
<password></password>
<host></host>
<mx></mx>
<!-- <wildcard/> -->
</dyndns>
<dhcpd>
<lan>
<enable/>
<range>
<from>192.168.1.100</from>
<to>192.168.1.199</to>
</range>
<!--
<winsserver>xxx.xxx.xxx.xxx</winsserver>
<defaultleasetime></defaultleasetime>
<maxleasetime></maxleasetime>
<gateway>xxx.xxx.xxx.xxx</gateway>
<domain></domain>
<dnsserver></dnsserver>
<next-server></next-server>
<filename></filename>
-->
</lan>
<!--
<opt[n]>
...
</opt[n]>
-->
<!--
<staticmap>
<mac>xx:xx:xx:xx:xx:xx</mac>
<ipaddr>xxx.xxx.xxx.xxx</ipaddr>
<descr></descr>
</staticmap>
-->
</dhcpd>
<pptpd>
<mode><!-- off *or* server *or* redir --></mode>
<redir></redir>
<localip></localip>
<remoteip></remoteip>
<!-- <accounting/> -->
<!--
<user>
<name></name>
<password></password>
</user>
-->
</pptpd>
<ovpn>
<!--
<server>
<enable/>
<ca_cert></ca_cert>
<srv_cert></srv_cert>
<srv_key></srv_key>
<dh_param></dh_param>
<verb></verb>
<tun_iface></tun_iface>
<port></port>
<bind_iface></bind_iface>
<cli2cli/>
<maxcli></maxcli>
<prefix></prefix>
<ipblock></ipblock>
<crypto></crypto>
<dupcn/>
<psh_options>
<redir></redir>
<redir_loc></redir_loc>
<rte_delay></rte_delay>
<ping></ping>
<pingrst></pingrst>
<pingexit></pingexit>
<inact></inact>
</psh_options>
</server>
<client>
<tunnel></tunnel>
<ca_cert></ca_cert>
<cli_cert></cli_cert>
<cli_key></cli_key>
<type></type>
<tunnel>
<if></if>
<proto></proto>
<cport></cport>
<saddr></saddr>
<sport></sport>
<crypto></crypto>
</tunnel>
</client>
-->
</ovpn>
<dnsmasq>
<enable/>
<!--
<hosts>
<host></host>
<domain></domain>
<ip></ip>
<descr></descr>
</hosts>
-->
</dnsmasq>
<snmpd>
<!-- <enable/> -->
<syslocation></syslocation>
<syscontact></syscontact>
<rocommunity>public</rocommunity>
</snmpd>
<diag>
<ipv6nat>
<!-- <enable/> -->
<ipaddr></ipaddr>
</ipv6nat>
</diag>
<bridge>
<!-- <filteringbridge/> -->
</bridge>
<syslog>
<!--
<reverse/>
<enable/>
<remoteserver>xxx.xxx.xxx.xxx</remoteserver>
<filter/>
<dhcp/>
<system/>
<nologdefaultblock/>
-->
</syslog>
<!--
<captiveportal>
<enable/>
<interface>lan|opt[n]</interface>
<idletimeout>minutes</idletimeout>
<timeout>minutes</timeout>
<page>
<htmltext></htmltext>
<errtext></errtext>
</page>
<httpslogin/>
<httpsname></httpsname>
<certificate></certificate>
<private-key></private-key>
<redirurl></redirurl>
<radiusip></radiusip>
<radiusport></radiusport>
<radiuskey></radiuskey>
<nomacfilter/>
</captiveportal>
-->
<nat>
<ipsecpassthru>
<enable/>
</ipsecpassthru>
<!--
<rule>
<interface></interface>
<external-address></external-address>
<protocol></protocol>
<external-port></external-port>
<target></target>
<local-port></local-port>
<descr></descr>
</rule>
-->
<!--
<onetoone>
<interface></interface>
<external>xxx.xxx.xxx.xxx</external>
<internal>xxx.xxx.xxx.xxx</internal>
<subnet></subnet>
<descr></descr>
</onetoone>
-->
<!--
<advancedoutbound>
<enable/>
<rule>
<interface></interface>
<source>
<network>xxx.xxx.xxx.xxx/xx</network>
</source>
<destination>
<not/>
<any/>
*or*
<network>xxx.xxx.xxx.xxx/xx</network>
</destination>
<target>xxx.xxx.xxx.xxx</target>
<descr></descr>
</rule>
</advancedoutbound>
-->
<!--
<servernat>
<ipaddr></ipaddr>
<descr></descr>
</servernat>
-->
</nat>
<filter>
<!-- <tcpidletimeout></tcpidletimeout> -->
<rule>
<type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
</rule>
<!-- rule syntax:
<rule>
<disabled/>
<type>pass|block|reject</type>
<descr>...</descr>
<interface>lan|opt[n]|wan|pptp</interface>
<protocol>tcp|udp|tcp/udp|...</protocol>
<icmptype></icmptype>
<source>
<not/>
<address>xxx.xxx.xxx.xxx(/xx) or alias</address>
*or*
<network>lan|opt[n]|pptp</network>
*or*
<any/>
<port>a[-b]</port>
</source>
<destination>
*same as for source*
</destination>
<frags/>
<log/>
</rule>
-->
</filter>
<shaper>
<!-- <enable/> -->
<!-- <schedulertype>hfsc</schedulertype> -->
<!-- rule syntax:
<rule>
<disabled/>
<descr></descr>
<targetpipe>number (zero based)</targetpipe>
*or*
<targetqueue>number (zero based)</targetqueue>
<interface>lan|wan|opt[n]|pptp</interface>
<protocol>tcp|udp</protocol>
<direction>in|out</direction>
<source>
<not/>
<address>xxx.xxx.xxx.xxx(/xx)</address>
*or*
<network>lan|opt[n]|pptp</network>
*or*
<any/>
<port>a[-b]</port>
</source>
<destination>
*same as for source*
</destination>
<iplen>from[-to]</iplen>
<iptos>(!)lowdelay,throughput,reliability,mincost,congestion</iptos>
<tcpflags>(!)fin,syn,rst,psh,ack,urg</tcpflags>
</rule>
<pipe>
<descr></descr>
<bandwidth></bandwidth>
<delay></delay>
<mask>source|destination</mask>
</pipe>
<queue>
<descr></descr>
<targetpipe>number (zero based)</targetpipe>
<weight></weight>
<mask>source|destination</mask>
</queue>
-->
</shaper>
<ipsec>
<preferredoldsa/>
<!-- <enable/> -->
<!-- syntax:
<tunnel>
<disabled/>
<auto/>
<descr></descr>
<interface>lan|wan|opt[n]</interface>
<local-subnet>
<address>xxx.xxx.xxx.xxx(/xx)</address>
*or*
<network>lan|opt[n]</network>
</local-subnet>
<remote-subnet>xxx.xxx.xxx.xxx/xx</remote-subnet>
<remote-gateway></remote-gateway>
<p1>
<mode></mode>
<myident>
<myaddress/>
*or*
<address>xxx.xxx.xxx.xxx</address>
*or*
<fqdn>the.fq.dn</fqdn>
</myident>
<encryption-algorithm></encryption-algorithm>
<hash-algorithm></hash-algorithm>
<dhgroup></dhgroup>
<lifetime></lifetime>
<pre-shared-key></pre-shared-key>
</p1>
<p2>
<protocol></protocol>
<encryption-algorithm-option></encryption-algorithm-option>
<hash-algorithm-option></hash-algorithm-option>
<pfsgroup></pfsgroup>
<lifetime></lifetime>
</p2>
</tunnel>
<mobileclients>
<enable/>
<p1>
<mode></mode>
<myident>
<myaddress/>
*or*
<address>xxx.xxx.xxx.xxx</address>
*or*
<fqdn>the.fq.dn</fqdn>
</myident>
<encryption-algorithm></encryption-algorithm>
<hash-algorithm></hash-algorithm>
<dhgroup></dhgroup>
<lifetime></lifetime>
</p1>
<p2>
<protocol></protocol>
<encryption-algorithm-option></encryption-algorithm-option>
<hash-algorithm-option></hash-algorithm-option>
<pfsgroup></pfsgroup>
<lifetime></lifetime>
</p2>
</mobileclients>
<mobilekey>
<ident></ident>
<pre-shared-key></pre-shared-key>
</mobilekey>
-->
</ipsec>
<aliases>
<!--
<alias>
<name></name>
<address>xxx.xxx.xxx.xxx(/xx)</address>
<descr></descr>
</alias>
-->
</aliases>
<proxyarp>
<!--
<proxyarpnet>
<network>xxx.xxx.xxx.xxx/xx</network>
*or*
<range>
<from>xxx.xxx.xxx.xxx</from>
<to>xxx.xxx.xxx.xxx</to>
</range>
</proxyarpnet>
-->
</proxyarp>
<cron>
<item>
<minute>0</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 newsyslog</command>
</item>
<item>
<minute>1,31</minute>
<hour>0-5</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 adjkerntz -a</command>
</item>
<item>
<minute>1</minute>
<hour>*</hour>
<mday>1</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.update_bogons.sh</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout</command>
</item>
<item>
<minute>1</minute>
<hour>1</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /etc/rc.dyndns.update</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot</command>
</item>
<item>
<minute>*/60</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 1800 snort2c</command>
</item>
<item>
<minute>*/5</minute>
<hour>*</hour>
<mday>*</mday>
<month>*</month>
<wday>*</wday>
<who>root</who>
<command>/usr/local/bin/checkreload.sh</command>
</item>
</cron>
<wol>
<!--
<wolentry>
<interface>lan|opt[n]</interface>
<mac>xx:xx:xx:xx:xx:xx</mac>
<descr></descr>
</wolentry>
-->
</wol>
<installedpackages>
</installedpackages>
</pfsense>