Before everything, please note:
- This is a tech doc only for advanced user. Incorrect scripting may cause system corruption that you may have to reset factory default or even reflash the disk.
- This is for Firewalla Gold and Purple.
- This is for version 1.971 or above
Customized Scripts
You can add some scripts to Gold/Purple so that it can be automatically executed when Firewalla service restarts (for example, when Gold/Purple reboots or software updates).
These scripts can be placed under this folder /home/pi/.firewalla/config/post_main.d/ (create this folder if it does not exist)
- the directory itself should be writable and executable by anyone (including
pi) - the files inside the directory should be executable by anyone (including
pi)
$ mkdir /home/pi/.firewalla/config/post_main.d/
$ cd /home/pi/.firewalla/config/post_main.d/
$ sudo chmod +wr .
Create a file with any name ending in with ".sh" and make it executable. For example:
$ sudo touch /home/pi/.firewalla/config/post_main.d/hello.sh
$ sudo chmod +x /home/pi/.firewalla/config/post_main.d/hello.sh
Any files ending with ".sh" will be executed at boot time. Now edit using vi or nano. For example:
$ cat /home/pi/.firewalla/config/post_main.d/hello.sh
#!/bin/bash
echo "Hello World"
Notes
- Please make sure your scripts can be executed multiple times at unscheduled time because it will be called every time the Firewalla services restart.
- If you need to run a specific command as root within your script, use
sudo.
Example: Install package "iftop"
#!/bin/bash
sudo apt-get update
sudo apt-get install iftop -y
Customized Cron jobs
To create scheduled jobs, you may add your own cronjob by putting a valid cronjob expression in this file.
/home/pi/.firewalla/config/user_crontab
Example:
pi@firewalla:~ (Firewalla) $ cat ~/.firewalla/config/user_crontab
* * * * * /bin/bash -c "date" &> /tmp/date.log
Note: No changes will be incorporated to the system crontab until Firewalla service restarts.
You can verify if it's incorporated by running "crontab -l"
Examples
# Run a script of your choosing
*/15 6-21 * * * /data/helloworld.sh
Comments
42 comments
No no no no. Do not use a password on your script. Hard coded passwords are a HUGE vulnerability.
Use keys for authentication and disable the ability to use passwords.
If you have been testing this on the CLI be aware your clear text password is now in your history file.
Remember if you truly are using FTP all traffic - including username and password - is sent as clear text.
@Sven you are correct you can't use cronjob -e.
1. create this file using your favorite editor.
Add your cron job(s) in there exactly as you would with cron.
2. Save the file.
3. Reboot firewalla.
4. Verify using
@Michael Bierman
Yep that did it many thanks!
Will scripts wait to be called until after a network connection has been made or does that need to be custom coded in the script?
Create a new file /home/pi/.firewalla/config/user_crontab, and add cronjobs to it. File format is the same as system cronjob.
It will be loaded as system cronjob when booting up.
Example:
You can reboot and test it. After the system is fully up, you can verify by crontab -l
Also, a good reason to check the state of something before executing is because these scripts are run whenever the Firewalla service restarts, not necessary just one time at boot.
Firewalla does not remove everything on every reboot. Certain directories do not get removed ever. That is why you should put your stuff there. Anything you install may be removed so you should check to see what needs to be done before doing it. I would have tests. Don't assume the state of anything.
You are copying a script that does the entire installation to another location. This doesn't make sense to me. What happens on reboot should be separate from any configuration stuff. Don't duplicate. If you want to make sure something is installed just call the installs script before anything else.
Adding rows to an existing file is simple to do if that's needed. google "bash >>"
It might not. To be honest, I don't know exactly how Firewalla reacts to remounting file systems. I would definitely add a check to the reboot script to test if the mount exists and redo it if it does not. I would probably error to mounting something under an area Firewalla expects to have user content—even if that isn't necessary.
Again, to debug you should use "bash -x" and/or log each significant action so you can see what is happening at every step. Each log entry should have a time stamp. You can run it and when needed try rebooting to see what is firing and what is not. You can always remove or comment out some of the logging when it is confirmed to be working.
@Bill
I'm not sure, but maybe the sudo doesn't apply to the chpasswd command after the pipe. I ran into a similar permissions problem with output redirection when trying to write to a file in /etc.
https://help.firewalla.com/hc/en-us/community/posts/4491452568851/comments/4507491636499
@Bill does your script write log messages you can check - if not it should.
(From above) You could create a custom cron job in /home/pi/.firewalla/config/user_crontab to run every five minutes to test your script - then return to only at boot.
You could also put an @reboot in there to run your script at reboot just to make sure.
Are you saying I should drop the ending / from my parameter(s)? The script works with the / included when I run the script myself. Should that matter?
I've learned a bit over the past two days. If I perform a sudo passwd && sudo chmod 744 /home/userid/ && sudo mount /dev/sda1 /home/userid/ my systems can access data via samba and ftp. I'm interpreting this to mean that the rest of the script runs just fine after the Firewalla is turned back on.
(1) The password steps I have coded hasn't worked. I can do a passwd manually and that fixes the issue. So, I still need to find a method for setting/changing a password inside my script. If someone has a suggestion for what I should choose, I would be very grateful! I've tried a few so far. These are the ones I recall trying.
a> echo 'userid:newpwd' | sudo chpasswd
b> echo 'newpwd\newpwd' | sudo passwd userid
(2) I did the chmod command because it is in the script. I'm not sure if it worked or not at this point. I've found that logging my scripts hasn't worked as I would have expected. I'm not getting much output. This is one of those instances where the log doesn't contain any useful information for the chmod command.
(3) The mount command in the script hasn't worked. I can run the mount command manually and that fixes the issue. I added a 5 minute delay, which I thought would have done it, but it still hasn't worked. In my most recent test, I only turned the Firewalla off. By leaving the NAS online, there wouldn't be a power cycle delay in the mix.
a> sudo mount /dev/sda1 /home/fshare/
Sorry, Bill. I haven't used chpasswd in scripts much. Try:
https://www.baeldung.com/linux/passwd-shell-script Note the double quotes. quotes, special characters, escaping things are often the trickiest bits of shell scripts. I'm not sure if you need sudo or not.
Yes, leave the trailing slash off the mount command.
I'm not having any luck with this still! Sorry to be a pain. By the way, the documentation for chpasswd as it uid:pwd; not pwd:uid, so I tried both. It expects the first parameter to be the user name.
Here's what I tried most recently. At least I'm getting an error message with this one. :-/
@Bill it is too hard to help without seeing the whole script. I suggest posting the full current version here or on GitHub. Much more likely someone can help that way.
@Michael.
At this point, I am just focusing on the chpasswd command. I'm not even running in a script... just running the sudo echo UID:PWD | sudo chpasswd.
Once I have this step working I will move on to the next. I'm going to ask Stack Exchange or something similar to see if they have any suggestions. That is probably more appropriate. I'll report back when I have something to share.
In case any special characters in your password, you might want to do
For example,
Or use variables instead
Please have a try and see if it works
Hard coded passwords are a really bad idea.
https://cwe.mitre.org/data/definitions/798.html
https://cwe.mitre.org/data/definitions/259.html
Thanks for the advice. In the end, I will be looking at that. But, first, I need to get a script that works. Then I can focus on making it fancy/secure.
Hi,
How can I find out why script not working after restarting my firewall blue plus?
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ pwd
/home/pi/.firewalla/config/post_main.d
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ ls -lh
total 4.0K
-rwxr-xr-x 1 root root 161 Oct 23 19:05 hello.sh
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $ cat hello.sh
#!/bin/bash
sudo ip route add 3.5.0.0/16 dev vpn_8BB6_8BB62
sudo ip route add 52.88.0.0/13 dev vpn_8BB6_8BB62
sudo ip route add 52.216.0.0/14 dev vpn_8BB6_8BB62
pi@Firewalla:~/.firewalla/config/post_main.d (Firewalla Blue Plus) $
Thank you.
I don't understand the example "Customized Cron jobs". How do I add a custom cronjob and where. Can someone give a step-b-step example? Adding with "cronjob -e" the job is lost after restart of Firewalla.
Can you please provide a method to trigger the merge of the user_crontab/* files at runtime without reboot?
For any one having issues checking custom crontabs, here is some additional steps the above guide does not provide:
Next restart firewalla; then check to ensure cronjob is present with this command:
You should now see the entries of user_crontab added to the bottom of the crontab for user "pi".
What about /etc/cron.{hourly|daily|monthly|weekly}/? Can I drop scripts in there to run in the specified intervals?
swrobel you should use user cron to schedule scripts. You can set any schedule you like.
@Bill hard (for me at least) to comment without seeing the script. Can you post it somewhere?
There is no need to do this for the blue, you can just use cron directly. The reason gold is a bit special is, when in router mode, we want it to be stable, hence we restrict access to services to prevent 'you' from messing up the operating system and shut down the network.
Hmm. Ok, I'll let you know if I loose my crontab next time the router reboots. I thought that is what happened before.
Another use for custom scripting. Install Speedtest CLI on Firewalla.
Want to have speedtest cli on Firewalla Gold? This will tell you how fast your internet connection is right on Firewalla (no wifi or Ethernet involved)
Firewalla will remove anything installed after upgrades so you can install a script to reinstall for you after firewalla upgrades and possibly reboots. See this gist.
Then you can run speedtest.
Or
if you have dual WAN and want to test WAN2
How soon after adding an entry into the ~/.firewalla/config/user_crontab does the main crontab pickup the change?
after rebooting. @theoninhunter.
Please sign in to leave a comment.