Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

0

Share

Download to read offline

Console Menu - pfSense Hangout December 2016

Download to read offline

Slides for the December 2016 pfSense Hangout video

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Console Menu - pfSense Hangout December 2016

  1. 1. Console Menu December 2016 Hangout Jim Pingle
  2. 2. About this Hangout ● Project News ● Console Menu Access & Setup – Keyboard/Video Console – Serial Console – SSH ● Console Menu Options ● Using the PHP Shell ● Using the tcsh Shell
  3. 3. Project News ● SG-1000 shipping, all backorders shipped! – Development and improvements are still ongoing – USB OTG port is now bootable with new snapshots ● Switch framework from SG-1000 (Interfaces > Switches) to be used for future products including large numbers of switch ports – https://blog.pfsense.org/?p=2174 ● Enterprise Support coming in January – Three choices, yearly, per-device, non-incident ● pfSense Code Audit – Audit was performed by an independent consulting firm – Results were excellent – Full details will be posted soon on the Netgate & pfSense blogs
  4. 4. Console Menu Requirements ● Physical Keyboard/Video console – Firewall hardware must have video output, keyboard attached ● Serial Console – Device must have a serial port or similar console port ● Devices with a traditional DB9 or RJ45 style serial port must use COM1 ● Null modem serial cable or adapter ● Client must also have a serial port or USB/Serial converter – http://store.netgate.com/Serial-NULL-Modem-RS232-Cable-Kit-P2165.aspx – SG devices have a Micro USB console port that acts as a USB/Serial converter on COM2 ● Only a micro-USB cable, such as an Android device cable, is required – Serial console must be enabled on pfSense ● Defaults to enabled for SG devices or devices installed from the serial memstick ● Enabled in the GUI for others ● SSH – SSH must be enabled on the firewall – Firewall rules must allow access ● All types: – When setting up a terminal, default size is usually 24 rows, 80 columns ● This size works best for the installer – For general use after installation, we recommend wider & taller terminals to show more information ● Example: 32 rows, 132 columns.
  5. 5. Physical Console Configuration ● Video console is always enabled if present ● Serial console may need to be enabled manually unless it is the only console ● System > Advanced, Admin Access tab – Serial Communications section ● Serial Terminal, check to enable – Box is hidden for devices that only have serial or which have serial forced on ● Serial Speed – No reason to use anything other than 115200 these days ● Primary Console – Kernel boot messages will go to all configured hardware consoles (video, serial) – Once the kernel passes off control to the OS boot scripts, only the primary console will receive output (e.g. pfSense boot output) – If the output stops after “Mounting root...” without a prompt, odds are you are not looking at the primary console – If an error is encountered during boot, such as interfaces need reassigned, only the primary console can be used to correct the problem – After bootup completes, all consoles receive a menu
  6. 6. SSH Console Access Setup ● System > Advanced, Admin Access tab, Secure Shell section ● Or use console menu option 14 if you have access to the video or serial console ● Check Enable Secure Shell – The firewall will generate SSH keys for the ssh daemon, which can take some time ● On SG-1000, this process can take about a minute and a half ● Authentication Method – Unchecked, passwords can be used ● All account passwords should be strong! ● Do not expose SSH to the Internet with password authentication allowed! – Checked, ssh keys are required for all accounts ● Immune to brute force attacks but requires more complex setup and management ● Keys must be generated on the client (e.g. with ssh-keygen ) and then pasted into the account settings ● SSH port, defaults to 22 – Moving the port does not offer a significant security advantage on its own ● Add firewall rules to allow access – Do not expose SSH to the world if you can help it!
  7. 7. Accessing the Console Menu Keyboard/Video ● Turn on the monitor, use the keyboard (simple) ● Switch to the KVM port, etc ● May also be accessible using IPMI, DRAC, iLO or similar, depending on the hardware
  8. 8. Accessing the Console Menu Serial Console ● Connect the serial cable to the client – If it is a USB/Serial cable, ensure it was detected properly by the OS – Install drivers if necessary ● Locate the proper client serial port – On Windows, Check device manager ● PC Name > Ports (COM & LPT), [Name/Type] (COMx) ● Physical DB9 port is likely COM1, maybe COM2 ● Typically COM3, COM4, or COM5 for USB – Linux ● Check log/dmesg output, most likely it is /dev/ttyUSBx – FreeBSD ● Check log/dmesg output, most likely is /dev/cuaUx – MAC ● Varies by serial cable OEM/type ● SG devices use /dev/cu.SLAB_USBtoUART
  9. 9. Accessing the Console Menu Serial Console ● Speed must match the speed configured on the previous page ● Client serial port settings: – Most clients use these settings by default, such as PuTTY and screen – 8 data bits – No parity – 1 stop bit – Flow Control: XON/XOFF or disabled ● RTS/CTS flow control must not be used! ● See also: https://portal.pfsense.org/docs/manuals/reference/sg-series-se rial-console.html
  10. 10. Accessing the Console Menu Serial Console ● Windows – Serial clients: PuTTY or SecureCRT ● PuTTY Download URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ● Open PuTTY – Select Serial for Connection Type – Enter the COM port in Serial Line, such as COM3, COM5, etc. – DO NOT USE HYPERTERMINAL! ● Linux – Serial clients: screen, PuTTY, minicom, or dterm, – sudo screen /dev/ttyUSB0 115200 ● FreeBSD – Serial clients: screen, cu, or tip – sudo screen /dev/cuaU0 115200 ● MAC – Serial clients: screen, Zterm, or cu – sudo screen /dev/cu.SLAB_USBtoUART 115200 – May need -U passed to screen to work around character encoding issues
  11. 11. Accessing the Console Menu SSH ● Windows – Clients: PuTTY, SecureCRT, mRemoteNG, cygwin CLI ssh, 10AU+Ubuntu Bash CLI ssh ● Linux/FreeBSD – Clients: PuTTY, CLI ssh, PAC ● MAC – Clients: Terminal, iTerm2 ● Client must be recent and support the key exchange, cipher, and MAC requirements on pfSense ● From the CLI it’s the same on any OS: – ssh username@192.168.1.1 ● GUI clients must be set to connect to the firewall IP address on the correct port, with the expected username ● For key-based authentication, consult the client documentation ● If the client does not work, update it and try again – Current versions of PuTTY, SecureCRT, and others work well, older versions do not
  12. 12. Console Menu Tasks ● 0) Logout (SSH Only) – Ends the current SSH session – Pressing enter without entering an option will also close the SSH session, as will using CTRL-D
  13. 13. Console Menu Tasks ● 1) Assign Interfaces – Prompts the user to wipe the existing interface configuration and start over with new interface assignments – This is the same procedure that is triggered during boot when the available physical/virtual interfaces do not match the assigned interfaces – Can create VLANs, but not other special interface types (e.g. LAGG) – Lists all available interfaces and VLANs for assignment ● For physical interfaces, MAC addresses are printed in the list – At least one interface must be assigned (WAN) – Press enter without typing an interface name to stop
  14. 14. Console Menu Tasks ● 2) Set interface(s) IP address – Set an IP address for any firewall interface – Can configure static addresses or DHCP – For static addresses: ● Prompts for the IP address, subnet mask, and optional gateway ● Prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range if it is enabled – If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP in case SSL is not functional – Enables the anti-lockout rule in case the user has been locked out of the GUI
  15. 15. Console Menu Tasks ● 3) Reset webConfigurator Password – Resets the admin account password back to “pfsense” – If the GUI authentication source is RADIUS/LDAP, the script prompts to reset as Local Database – If the admin account has been removed, the script re-creates the account – If the admin account is disabled, the script re- enables the account
  16. 16. Console Menu Tasks ● 4) Reset to factory defaults – Restores the system configuration back to its factory default (/conf.default/config.xml) – Attempts to remove non-default packages – Does not make any filesystem changes – A wipe and reload may be a better choice if anything other than the configuration needs to be reset
  17. 17. Console Menu Tasks ● 5) Reboot system – Shuts down the firewall cleanly and performs a clean restart – 2.4 adds a few new options: ● Reboot normally ● Reroot – A quicker restart that doesn’t reload the kernel – Kills processes, remounts filesystems, runs startup sequence ● Reboot into Single User Mode – Needs console access ● Reboot and run a filesystem check – Runs fsck on the root slice 5x
  18. 18. Console Menu Tasks ● 6) Halt System – Cleanly shuts down the firewall – Stops all processes – Synchronizes all filesystems – Attempts to power off the firewall if the hardware is capable – Always use this option or its GUI equivalent when turning off the firewall ● Never abruptly disconnect power!
  19. 19. Console Menu Tasks ● 7) Ping Host – Sends three ICMP echo requests to a target and displays the results – When passed an IPv4 address or a hostname, it uses ping – When passed an IPv6 address it uses ping6 ● 8) Shell – Starts a tcsh shell and presents a shell prompt – Will cover this more later
  20. 20. Console Menu Tasks ● 9) pfTop – Invokes pfTop for a real-time view of firewall state table activity – Has a variety of views to help spot connections passing a lot of data, for example – Use 0-8 to select a view directly – The view can be sorted in a variety of ways – Press ? To see help which shows all of the keyboard shortcuts
  21. 21. Console Menu Tasks ● 10) Filter Logs – Runs (essentially) a “tail” on the filter log file – Log entries are presented in raw format ● https://doc.pfsense.org/index.php/Filter_Log_Format_for_pf Sense_2.2 – For a simpler real-time view, run this from the shell: ● clog -f /var/log/filter.log | filterparser.php ● 11) Restart webConfigurator – Restarts the nginx instance that runs the WebGUI – Usually needs option 16 run as well to restart PHP- FPM
  22. 22. Console Menu Tasks ● 12) PHP Shell + pfSense tools – Starts an interactive PHP shell that runs in a similar context to the firewall GUI – Will cover more later ● 13) Update from the console – Attempts to run an OS update, the same as from the GUI ● 14) Enable/Disable Secure Shell – Toggles the state of the SSH daemon, as covered earlier
  23. 23. Console Menu Tasks ● 15) Restore Recent Configuration – Similar to the configuration history in the GUI – Lists recent configuration changes and offers to restore older configurations – Useful for stepping back to a working configuration after a change that had a negative impact – Does not apply changes, needs a reboot to fully take effect ● 16) Restart PHP-FPM – Stops and restarts the daemon which handles PHP processes for nginx – If the GUI web server process is running but unable to execute PHP scripts, invoke this option – Helps restore GUI access when it fails with 5xx nginx errors such as 502 / “Bad Gateway”
  24. 24. Console Menu Tasks ● Option 99 (SG-1000 booted from SD card only) – When running certain images on the SG-1000 loaded to an SD card, this option is present on the menu – When invoked, it copies the running system to the eMMC – After it completes, power off the firewall and remove the SD card to run from eMMC ● Hidden menu option 100 – Launches “links”, a command-line text-based web browser and attempts to connect to the firewall GUI – No JS support, so use is limited – After login, press ‘g’ and go to the firewall URL /index.php
  25. 25. Using the PHP Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● Console menu option 12 invokes the PHP Shell ● Can interact with the configuration and the running system as a whole ● Primarily useful to developers and very advanced users ● Runs in a context similar to the GUI – Can read the configuration from $config, globals from $g, and so on. – Can write the configuration if necessary – “Apply” action is trickier, would need to call specific functions directly, so not recommended ● Supports session recording and playback, playback is the most useful feature ● pfSense ships with a number of useful default playback scripts
  26. 26. PHP Shell – Running Commands ● Type “help” for command examples and information ● Each block of commands must be followed by “exec” on a new line to execute the code ● Type “exit” or use CTRL-C to return to the menu ● Example that dumps the LAN DHCP settings: pfSense Shell: var_dump($config['dhcpd']['lan']); pfSense Shell: exec
  27. 27. PHP Shell – Playback Scripts ● Use from option 12 with “playback <scriptname> [options]” ● Use from the shell with: “pfSsh.php playback <scriptname> [options]” ● Some playback scripts have options, others do not – Most are coded friendly enough to print a help message if they need options that are not given
  28. 28. PHP Shell – Playback Scripts ● changepassword – Changes the password for a user ● Username can be supplied as an optional argument, will prompt if nothing is given – Resets account properties if it is disabled or expired ● enablecarp / disablecarp – Enable/disable CARP functions for troubleshooting purposes, same as the GUI button – Does not persist ● enablecarpmaint / disablecarpmaint – Enters/exits CARP maintenance mode, same as the GUI button – Persists across reboots – Demotes unit, does not disable CARP ● disabledhcpd – Removes all DHCP server configuration from all interfaces on the firewall and stops the DHCP service ● disablereferercheck – Disables HTTP_REFERER verification – Useful when the GUI cannot be reached due to the method used by the client
  29. 29. PHP Shell – Playback Scripts ● enableallowallwan – Adds an “allow all” rule to the WAN, meant as a VERY temporary measure to regain access to the GUI in cases when the LAN is unavaiable – Primarily used with lab virtual machines that have disconnected LANs or no LAN-side client available ● enablesshd – Enables the SSH daemon, same as the GUI checkbox or the console menu option ● externalconfiglocator – Invokes the external configuration locater which attempts to find a config.xml on an attached removable disk ● gatewaystatus – Prints the gateway status formatted for the terminal (New in 2.4) ● generateguicert – Generates and activates a new certificate for the GUI using the current firewall hostname and other parameters – Very useful for generating new certificates to replace old GUI certificates from 2.0.x and earlier that had generic properties, which now cause problems in Firefox ● gitsync – A complex script used to copy down recent commits from github to the firewall to catch up on changes – Primarily useful for tracking small code changes between development snapshots – Does not update binaries, use with caution
  30. 30. PHP Shell – Playback Scripts ● installpkg / listpkg / uninstallpkg – Manipulates packages – Not useful on 2.3+ as using “pkg” directly has the same effect ● pfanchordrill – Recursively searches through pf anchors and prints any NAT or firewall rules it finds – Useful for debugging services that rely on anchors like UPnP or relayd ● pftabledrill – Prints the contents of all pf tables (aliases, built-in tables, etc) – Useful for finding an address across all aliases, especially with dynamic aliases (FQDNs, URL tables, etc) ● removepkgconfig – Removes all package configuration from config.xml but does not uninstall packages – Can return config.xml to a usable state, but the OS packages can mismatch
  31. 31. PHP Shell – Playback Scripts ● removeshaper – Removes all ALTQ queues and rules generated by the shaper wizard – Useful if the ALTQ configuration is causing problems with network connectivity and the GUI cannot be reached ● resetwebgui – Resets the GUI theme, dashboard widgets, and menu configuration back to default ● restartdhcpd – Stops and starts the DHCP daemon ● restartipsec – Reloads the strongSwan configuration for IPsec
  32. 32. PHP Shell – Playback Scripts ● svc – Controls services similar to Status > Services in the GUI – playback svc <action> <service name> [service-specific options] – The action can be stop, start, or restart. – The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes. – The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries. – Examples: ● Stop bsnmpd: – pfSsh.php playback svc stop bsnmpd ● Restart OpenVPN server with ID 1: – pfSsh.php playback svc restart openvpn server 1 ● Start the Captive Poral process for zone “Guests”: – pfSsh.php playback svc start captiveportal Guests
  33. 33. Using the tcsh Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● A majority of common utilities are present and can be used for troubleshooting or gathering information, among other uses ● The shell invoked from console menu option 8 is tcsh and those familiar with FreeBSD will be at home, with some caveats – Some common shell utilities are not present due to size and/or security constraints – No compiler environment – No man/info pages – Do not attempt to make permanent changes to daemon configurations as they will likely be overwritten by pfSense when settings are synchronized or at the next reboot ● Consult FreeBSD or general UNIX shell documentation for specifics
  34. 34. Using the tcsh Shell ● Bash is also available via “pkg add bash” if desired ● Do not use the firewall as a general purpose UNIX shell server, only allow shell access to firewall administrators ● Use the sudo package to grant non-root users access to run programs as root ● Files can be copied to/from the firewall using scp with the “root” user – FileZilla or the command line scp are the best clients
  35. 35. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Slides for the December 2016 pfSense Hangout video

Views

Total views

2,372

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

33

Shares

0

Comments

0

Likes

0

×