Before everything, please note:
- This is a tech doc only for Pros. Incorrect scripting may cause system corruption that you may have to reset factory default or even reflash the disk.
- This is for Firewalla Gold and Purple.
- This is for version 1.971 or above
Customized Scripts
You can add some scripts to Gold/Purple so that it can be automatically executed when Firewalla service restarts (for example, when Gold/Purple reboots or software updates).
These scripts can be placed under this folder /home/pi/.firewalla/config/post_main.d/ (create this folder if it does not exist)
$ sudo mkdir /home/pi/.firewalla/config/post_main.d/
$ cd /home/pi/.firewalla/config/post_main.d/
$ sudo chmod +wr .
Create a file with any name ending in with ".sh" and make it executable. For example:
$ sudo touch /home/pi/.firewalla/config/post_main.d/hello.sh
$ sudo chmod +x /home/pi/.firewalla/config/post_main.d/hello.sh
Any files ending with ".sh" will be executed at boot time. Now edit using vi or nano. For example:
$ cat /home/pi/.firewalla/config/post_main.d/hello.sh
#!/bin/bash
echo "Hello World"
Note: Please make sure your scripts can be executed multiple times at unscheduled time because it will be called every time the Firewalla services restart.
Example: Install package "iftop"
#!/bin/bash sudo apt-get update
sudo apt-get install iftop -y
Customized Cron jobs
To create scheduled jobs, you may add your own cronjob by putting cronjob expression in this file. It will be incorporated to the system crontab when Firewalla service restarts.
/home/pi/.firewalla/config/user_crontab
Example:
pi@firewalla:~ (Firewalla) $ cat ~/.firewalla/config/user_crontab
* * * * * /bin/bash -c "date" &> /tmp/date.log
You can verify if it's incorporated by running "crontab -l"
Examples
# Run a script of your choosing
*/15 6-21 * * * /data/helloworld.sh
Comments
39 comments
Create a new file /home/pi/.firewalla/config/user_crontab, and add cronjobs to it. File format is the same as system cronjob.
It will be loaded as system cronjob when booting up.
Example:
You can reboot and test it. After the system is fully up, you can verify by crontab -l
@Sven you are correct you can't use cronjob -e.
1. create this file using your favorite editor.
Add your cron job(s) in there exactly as you would with cron.
2. Save the file.
3. Reboot firewalla.
4. Verify using
No no no no. Do not use a password on your script. Hard coded passwords are a HUGE vulnerability.
Use keys for authentication and disable the ability to use passwords.
If you have been testing this on the CLI be aware your clear text password is now in your history file.
Remember if you truly are using FTP all traffic - including username and password - is sent as clear text.
@Bill
I'm not sure, but maybe the sudo doesn't apply to the chpasswd command after the pipe. I ran into a similar permissions problem with output redirection when trying to write to a file in /etc.
https://help.firewalla.com/hc/en-us/community/posts/4491452568851/comments/4507491636499
Also, a good reason to check the state of something before executing is because these scripts are run whenever the Firewalla service restarts, not necessary just one time at boot.
@Michael Bierman
Yep that did it many thanks!
Will scripts wait to be called until after a network connection has been made or does that need to be custom coded in the script?
@Bill does your script write log messages you can check - if not it should.
(From above) You could create a custom cron job in /home/pi/.firewalla/config/user_crontab to run every five minutes to test your script - then return to only at boot.
You could also put an @reboot in there to run your script at reboot just to make sure.
Firewalla does not remove everything on every reboot. Certain directories do not get removed ever. That is why you should put your stuff there. Anything you install may be removed so you should check to see what needs to be done before doing it. I would have tests. Don't assume the state of anything.
You are copying a script that does the entire installation to another location. This doesn't make sense to me. What happens on reboot should be separate from any configuration stuff. Don't duplicate. If you want to make sure something is installed just call the installs script before anything else.
Adding rows to an existing file is simple to do if that's needed. google "bash >>"
It might not. To be honest, I don't know exactly how Firewalla reacts to remounting file systems. I would definitely add a check to the reboot script to test if the mount exists and redo it if it does not. I would probably error to mounting something under an area Firewalla expects to have user content—even if that isn't necessary.
Again, to debug you should use "bash -x" and/or log each significant action so you can see what is happening at every step. Each log entry should have a time stamp. You can run it and when needed try rebooting to see what is firing and what is not. You can always remove or comment out some of the logging when it is confirmed to be working.
There is no need to do this for the blue, you can just use cron directly. The reason gold is a bit special is, when in router mode, we want it to be stable, hence we restrict access to services to prevent 'you' from messing up the operating system and shut down the network.
Exactly so, @David. In fact for many people they hardly ever reboot but the FW service has to restart for other reasons like upgrades.
Hard coded passwords are a really bad idea.
https://cwe.mitre.org/data/definitions/798.html
https://cwe.mitre.org/data/definitions/259.html
@Michael.
At this point, I am just focusing on the chpasswd command. I'm not even running in a script... just running the sudo echo UID:PWD | sudo chpasswd.
Once I have this step working I will move on to the next. I'm going to ask Stack Exchange or something similar to see if they have any suggestions. That is probably more appropriate. I'll report back when I have something to share.
@Chris. That's dpkg query is a great addition to my limited unix knowledge. Thanks.
I was under the understanding that whenever a Firewalla Gold reboots it removes all customizations. If this isn't the case, then I'd love to be able to streamline the script.
I use FTP because I have some security cameras around the property that FTP images to a server when they sense motion. The company has the ability to use samba, but they have a bug in the firmware for two of my cameras. So, I send the images via FTP. I tried to use sFTP, but it didn't work even when I switched to port 22. I should probably set up a rule to block remote FTP requests.
@Michael, The cp command you call out just overlays a working config over the one that is placed in the /etc folder during installation. I do this as it is easier than inserting rows to an existing file. I'll look more into the /data folder. I'm, in actuality, setting this up to use a 16TB external drive for the files that get uploaded. The actual upload location isn't on the Firewalla. For this reason, I didn't think it really mattered if I used /data or not.
Back to one of my initial questions, though. Why would a script that I can run successfully fail at boot?
My wife is out of time in a few days. I'll do more testing while she is away. I try not to disrupt the network too much when she's home.
Sorry, Bill. I haven't used chpasswd in scripts much. Try:
https://www.baeldung.com/linux/passwd-shell-script Note the double quotes. quotes, special characters, escaping things are often the trickiest bits of shell scripts. I'm not sure if you need sudo or not.
Yes, leave the trailing slash off the mount command.
In case any special characters in your password, you might want to do
For example,
Or use variables instead
Please have a try and see if it works
Yes, I found the calling script. They're run in 'ls' order.
I'm not having any luck with this still! Sorry to be a pain. By the way, the documentation for chpasswd as it uid:pwd; not pwd:uid, so I tried both. It expects the first parameter to be the user name.
Here's what I tried most recently. At least I'm getting an error message with this one. :-/
I had the script set to create log files, but they were mostly empty. I removed it (for now).
Here's the script (with a few anonymizers). Again, this script runs through successfully when I run it in SSH as pi. ./at-boot.sh
script: at_boot.sh
#!/bin/bash
sudo apt-get update
sudo apt-get -y install samba samba-common samba-common-bin cifs-utils python-glade2 system-config-samba vsftpd
# Date Variables
# sudo read -r YYYY MM DD H M S <<< "$(date '+%Y %m %d %H %M %S' -d "$date_in")"
# Sets up ftp users
sudo addgroup sftp
sudo useradd -m thisisanthrusrname -g sftp
sudo passwd thisisanthrusrname <<< thisisapwd
sudo useradd -m thisisausrname -g sftp
sudo passwd thisisausrname <<< thisisapwd
sudo mkdir /home/thisisausrname/
# Set permissions
sudo chmod 744 /home/thisisausrname/
# Sets up external drive mounting
sudo fdisk -l
sudo mount /dev/sda1 /home/thisisausrname/
sudo mount
# Copy config into ssh directory
sudo rm -f /etc/ssh/sshd_config
sudo cp /home/pi/.firewalla/config/post_main.d/sshd_config /etc/ssh/sshd_config
sudo systemctl restart ssh
# Set ownership
sudo chown -R nobody:nogroup /home/thisisausrname/
sudo chmod -R 0775 /home/thisisausrname/
# Copy config into samba directory
sudo rm -f /etc/samba/smb.conf
sudo cp /home/pi/.firewalla/config/post_main.d/smb.conf.1709LH /etc/samba/smb.conf
sudo service smbd stop
sudo service smbd start
# Open firewall ports for FTP & Samba
sudo ufw allow samba
sudo ufw allow 21
sudo ufw allow 22
# Enable FTP
sudo systemctl start vsftpd
sudo systemctl enable vsftpd
# Set directory for FTP
# sudo mkdir /home/thisisausrname/WebcamImages/$YYYY/$MM/$DD
sudo usermod -d /home/thisisausrname/WebcamImages thisisausrname
# Over-write config file
sudo cp /home/pi/.firewalla/config/post_main.d/vsftpd.conf /etc/vsftpd.conf
sudo systemctl restart vsftpd.service
after rebooting. @theoninhunter.
Another use for custom scripting. Install Speedtest CLI on Firewalla.
Want to have speedtest cli on Firewalla Gold? This will tell you how fast your internet connection is right on Firewalla (no wifi or Ethernet involved)
Firewalla will remove anything installed after upgrades so you can install a script to reinstall for you after firewalla upgrades and possibly reboots. See this gist.
Then you can run speedtest.
Or
if you have dual WAN and want to test WAN2
Hmm. Ok, I'll let you know if I loose my crontab next time the router reboots. I thought that is what happened before.
I have blue and am just interested in persisting some crontab settings. Will the
file also work for Firewalla blue? Thanks.
I created a little script with
The above script hangs (never finishes; shows no information in stdout or stderr). The below script does not hang, but also does not work (but it logs). Now I'll put logging on each of the commands and see how they fare. At this point, I'm just excited I can see what's happening! :-) I'll see if I can take what you've taught me and come up with a way to change the password.
The log output follows.
Thanks for the advice. In the end, I will be looking at that. But, first, I need to get a script that works. Then I can focus on making it fancy/secure.
You can always run this command to see what is installed on a Debian distro.
sudo dpkg-query -f '${Package;-30}${Priority}\t${Essential}\t${Description;-100}\n' -W | grep -Ev '^ ' | grep -v '^$'
Can you please provide a method to trigger the merge of the user_crontab/* files at runtime without reboot?
I don't understand the example "Customized Cron jobs". How do I add a custom cronjob and where. Can someone give a step-b-step example? Adding with "cronjob -e" the job is lost after restart of Firewalla.
You shouldn’t have to do this at every boot. I don’t think all this gets reset on boot. Have you talked a look at this https://help.firewalla.com/hc/en-us/articles/360007345553-Fun-Things-To-Do-with-Firewalla ? @Firewalla can you comment?
Reminder that using FTP is significant security risk. What is the end result you are trying to do here? You should have to open SSH as the Firewalla already does that.
Hi,
How can I find out why script not working after restarting my firewall blue plus?
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ pwd
/home/pi/.firewalla/config/post_main.d
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ ls -lh
total 4.0K
-rwxr-xr-x 1 root root 161 Oct 23 19:05 hello.sh
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ cat hello.sh
#!/bin/bash
sudo ip route add 3.5.0.0/16 dev vpn_8BB6_8BB62
sudo ip route add 52.88.0.0/13 dev vpn_8BB6_8BB62
sudo ip route add 52.216.0.0/14 dev vpn_8BB6_8BB62
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $
Thank you.
Please sign in to leave a comment.