Before everything, please note:
- This is a tech doc only for advanced user. Incorrect scripting may cause system corruption that you may have to reset factory default or even reflash the disk.
- This is for Firewalla Gold and Purple.
- This is for version 1.971 or above
Customized Scripts
You can add some scripts to Gold/Purple so that it can be automatically executed when Firewalla service restarts (for example, when Gold/Purple reboots or software updates).
These scripts can be placed under this folder /home/pi/.firewalla/config/post_main.d/
(create this folder if it does not exist)
$ sudo mkdir /home/pi/.firewalla/config/post_main.d/
$ cd /home/pi/.firewalla/config/post_main.d/
$ sudo chmod +wr .
Create a file with any name ending in with ".sh" and make it executable. For example:
$ sudo touch /home/pi/.firewalla/config/post_main.d/hello.sh
$ sudo chmod +x /home/pi/.firewalla/config/post_main.d/hello.sh
Any files ending with ".sh" will be executed at boot time. Now edit using vi or nano. For example:
$ cat /home/pi/.firewalla/config/post_main.d/hello.sh
#!/bin/bash
echo "Hello World"
Note: Please make sure your scripts can be executed multiple times at unscheduled time because it will be called every time the Firewalla services restart.
Example: Install package "iftop"
#!/bin/bash
sudo apt-get update
sudo apt-get install iftop -y
Customized Cron jobs
To create scheduled jobs, you may add your own cronjob by putting a valid cronjob expression in this file.
/home/pi/.firewalla/config/user_crontab
Example:
pi@firewalla:~ (Firewalla) $ cat ~/.firewalla/config/user_crontab
* * * * * /bin/bash -c "date" &> /tmp/date.log
Note: No changes will be incorporated to the system crontab until Firewalla service restarts.
You can verify if it's incorporated by running "crontab -l"
Examples
# Run a script of your choosing
*/15 6-21 * * * /data/helloworld.sh
Comments
40 comments
I have blue and am just interested in persisting some crontab settings. Will the
file also work for Firewalla blue? Thanks.
There is no need to do this for the blue, you can just use cron directly. The reason gold is a bit special is, when in router mode, we want it to be stable, hence we restrict access to services to prevent 'you' from messing up the operating system and shut down the network.
Hmm. Ok, I'll let you know if I loose my crontab next time the router reboots. I thought that is what happened before.
Another use for custom scripting. Install Speedtest CLI on Firewalla.
Want to have speedtest cli on Firewalla Gold? This will tell you how fast your internet connection is right on Firewalla (no wifi or Ethernet involved)
Firewalla will remove anything installed after upgrades so you can install a script to reinstall for you after firewalla upgrades and possibly reboots. See this gist.
Then you can run speedtest.
Or
if you have dual WAN and want to test WAN2
How soon after adding an entry into the ~/.firewalla/config/user_crontab does the main crontab pickup the change?
after rebooting. @theoninhunter.
@Michael Bierman
Yep that did it many thanks!
Will scripts wait to be called until after a network connection has been made or does that need to be custom coded in the script?
And a related question about the user scripts: in what order are they executed? I'm guessing the same order that 'ls' normally shows them.
Yes, I found the calling script. They're run in 'ls' order.
I've been trying to get scripts to run at boot but I'm not having any luck.
My script is in the post_main.d folder. I have chmod'd the at_boot.sh script with 777. I can run it at user pi from SSH without any special effort. I don't have much unix experience, so I'm already at the edge of my expertise being able to chmod.
While digging into this further, I see the user I create for samba and FTP exist prior to me performing my test -- does this mean the script did run during boot?
(1) Why would it run during boot, but the samba and FTP aren't working?
(2) Is there a way for me to see a log somewhere?
@Bill hard (for me at least) to comment without seeing the script. Can you post it somewhere?
@Bill does your script write log messages you can check - if not it should.
(From above) You could create a custom cron job in /home/pi/.firewalla/config/user_crontab to run every five minutes to test your script - then return to only at boot.
You could also put an @reboot in there to run your script at reboot just to make sure.
I had the script set to create log files, but they were mostly empty. I removed it (for now).
Here's the script (with a few anonymizers). Again, this script runs through successfully when I run it in SSH as pi. ./at-boot.sh
script: at_boot.sh
#!/bin/bash
sudo apt-get update
sudo apt-get -y install samba samba-common samba-common-bin cifs-utils python-glade2 system-config-samba vsftpd
# Date Variables
# sudo read -r YYYY MM DD H M S <<< "$(date '+%Y %m %d %H %M %S' -d "$date_in")"
# Sets up ftp users
sudo addgroup sftp
sudo useradd -m thisisanthrusrname -g sftp
sudo passwd thisisanthrusrname <<< thisisapwd
sudo useradd -m thisisausrname -g sftp
sudo passwd thisisausrname <<< thisisapwd
sudo mkdir /home/thisisausrname/
# Set permissions
sudo chmod 744 /home/thisisausrname/
# Sets up external drive mounting
sudo fdisk -l
sudo mount /dev/sda1 /home/thisisausrname/
sudo mount
# Copy config into ssh directory
sudo rm -f /etc/ssh/sshd_config
sudo cp /home/pi/.firewalla/config/post_main.d/sshd_config /etc/ssh/sshd_config
sudo systemctl restart ssh
# Set ownership
sudo chown -R nobody:nogroup /home/thisisausrname/
sudo chmod -R 0775 /home/thisisausrname/
# Copy config into samba directory
sudo rm -f /etc/samba/smb.conf
sudo cp /home/pi/.firewalla/config/post_main.d/smb.conf.1709LH /etc/samba/smb.conf
sudo service smbd stop
sudo service smbd start
# Open firewall ports for FTP & Samba
sudo ufw allow samba
sudo ufw allow 21
sudo ufw allow 22
# Enable FTP
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
# Set directory for FTP
# sudo mkdir /home/thisisausrname/WebcamImages/$YYYY/$MM/$DD
sudo usermod -d /home/thisisausrname/WebcamImages thisisausrname
# Over-write config file
sudo cp /home/pi/.firewalla/config/post_main.d/vsftpd.conf /etc/vsftpd.conf
sudo systemctl restart vsftpd.service
You shouldn’t have to do this at every boot. I don’t think all this gets reset on boot. Have you talked a look at this https://help.firewalla.com/hc/en-us/articles/360007345553-Fun-Things-To-Do-with-Firewalla ? @Firewalla can you comment?
Reminder that using FTP is significant security risk. What is the end result you are trying to do here? You should have to open SSH as the Firewalla already does that.
Agree with Chris. In addition. i confess i have not installed SAMBA, but there are things that concern me about this code. A few examples:
Ii going to copy the whole script to another location. Why?
You can always run this command to see what is installed on a Debian distro.
sudo dpkg-query -f '${Package;-30}${Priority}\t${Essential}\t${Description;-100}\n' -W | grep -Ev '^ ' | grep -v '^$'
@Chris. That's dpkg query is a great addition to my limited unix knowledge. Thanks.
I was under the understanding that whenever a Firewalla Gold reboots it removes all customizations. If this isn't the case, then I'd love to be able to streamline the script.
I use FTP because I have some security cameras around the property that FTP images to a server when they sense motion. The company has the ability to use samba, but they have a bug in the firmware for two of my cameras. So, I send the images via FTP. I tried to use sFTP, but it didn't work even when I switched to port 22. I should probably set up a rule to block remote FTP requests.
@Michael, The cp command you call out just overlays a working config over the one that is placed in the /etc folder during installation. I do this as it is easier than inserting rows to an existing file. I'll look more into the /data folder. I'm, in actuality, setting this up to use a 16TB external drive for the files that get uploaded. The actual upload location isn't on the Firewalla. For this reason, I didn't think it really mattered if I used /data or not.
Back to one of my initial questions, though. Why would a script that I can run successfully fail at boot?
My wife is out of time in a few days. I'll do more testing while she is away. I try not to disrupt the network too much when she's home.
Firewalla does not remove everything on every reboot. Certain directories do not get removed ever. That is why you should put your stuff there. Anything you install may be removed so you should check to see what needs to be done before doing it. I would have tests. Don't assume the state of anything.
You are copying a script that does the entire installation to another location. This doesn't make sense to me. What happens on reboot should be separate from any configuration stuff. Don't duplicate. If you want to make sure something is installed just call the installs script before anything else.
Adding rows to an existing file is simple to do if that's needed. google "bash >>"
It might not. To be honest, I don't know exactly how Firewalla reacts to remounting file systems. I would definitely add a check to the reboot script to test if the mount exists and redo it if it does not. I would probably error to mounting something under an area Firewalla expects to have user content—even if that isn't necessary.
Again, to debug you should use "bash -x" and/or log each significant action so you can see what is happening at every step. Each log entry should have a time stamp. You can run it and when needed try rebooting to see what is firing and what is not. You can always remove or comment out some of the logging when it is confirmed to be working.
Also, a good reason to check the state of something before executing is because these scripts are run whenever the Firewalla service restarts, not necessary just one time at boot.
Exactly so, @David. In fact for many people they hardly ever reboot but the FW service has to restart for other reasons like upgrades.
I've learned a bit over the past two days. If I perform a sudo passwd && sudo chmod 744 /home/userid/ && sudo mount /dev/sda1 /home/userid/ my systems can access data via samba and ftp. I'm interpreting this to mean that the rest of the script runs just fine after the Firewalla is turned back on.
(1) The password steps I have coded hasn't worked. I can do a passwd manually and that fixes the issue. So, I still need to find a method for setting/changing a password inside my script. If someone has a suggestion for what I should choose, I would be very grateful! I've tried a few so far. These are the ones I recall trying.
a> echo 'userid:newpwd' | sudo chpasswd
b> echo 'newpwd\newpwd' | sudo passwd userid
(2) I did the chmod command because it is in the script. I'm not sure if it worked or not at this point. I've found that logging my scripts hasn't worked as I would have expected. I'm not getting much output. This is one of those instances where the log doesn't contain any useful information for the chmod command.
(3) The mount command in the script hasn't worked. I can run the mount command manually and that fixes the issue. I added a 5 minute delay, which I thought would have done it, but it still hasn't worked. In my most recent test, I only turned the Firewalla off. By leaving the NAS online, there wouldn't be a power cycle delay in the mix.
a> sudo mount /dev/sda1 /home/fshare/
No no no no. Do not use a password on your script. Hard coded passwords are a HUGE vulnerability.
Use keys for authentication and disable the ability to use passwords.
If you have been testing this on the CLI be aware your clear text password is now in your history file.
Remember if you truly are using FTP all traffic - including username and password - is sent as clear text.
@Bill Try
You could also do the following to separate the passwords so you can easily share the script without having to hide info:
In terms of logging, you get what you ask for—or what you ask for properly anyway. Again, I couldn't suggest what is wrong without seeing your code. You can log absolutely anything you want if you do it right.
Have you tried
I created a little script with
The above script hangs (never finishes; shows no information in stdout or stderr). The below script does not hang, but also does not work (but it logs). Now I'll put logging on each of the commands and see how they fare. At this point, I'm just excited I can see what's happening! :-) I'll see if I can take what you've taught me and come up with a way to change the password.
The log output follows.
Are you saying I should drop the ending / from my parameter(s)? The script works with the / included when I run the script myself. Should that matter?
Sorry, Bill. I haven't used chpasswd in scripts much. Try:
https://www.baeldung.com/linux/passwd-shell-script Note the double quotes. quotes, special characters, escaping things are often the trickiest bits of shell scripts. I'm not sure if you need sudo or not.
Yes, leave the trailing slash off the mount command.
I'm not having any luck with this still! Sorry to be a pain. By the way, the documentation for chpasswd as it uid:pwd; not pwd:uid, so I tried both. It expects the first parameter to be the user name.
Here's what I tried most recently. At least I'm getting an error message with this one. :-/
@Bill
I'm not sure, but maybe the sudo doesn't apply to the chpasswd command after the pipe. I ran into a similar permissions problem with output redirection when trying to write to a file in /etc.
https://help.firewalla.com/hc/en-us/community/posts/4491452568851/comments/4507491636499
@Bill it is too hard to help without seeing the whole script. I suggest posting the full current version here or on GitHub. Much more likely someone can help that way.
Please sign in to leave a comment.