SlideShare une entreprise Scribd logo

Console Menu - pfSense Hangout December 2016

Netgate
Netgate

Slides for the December 2016 pfSense Hangout video

Technologie
1  sur  35
Télécharger pour lire hors ligne
Console Menu December 2016 Hangout Jim Pingle
About this Hangout ● Project News ● Console Menu Access & Setup – Keyboard/Video Console – Serial Console – SSH ● Console Menu Options ● Using the PHP Shell ● Using the tcsh Shell
Project News ● SG-1000 shipping, all backorders shipped! – Development and improvements are still ongoing – USB OTG port is now bootable with new snapshots ● Switch framework from SG-1000 (Interfaces > Switches) to be used for future products including large numbers of switch ports – https://blog.pfsense.org/?p=2174 ● Enterprise Support coming in January – Three choices, yearly, per-device, non-incident ● pfSense Code Audit – Audit was performed by an independent consulting firm – Results were excellent – Full details will be posted soon on the Netgate & pfSense blogs
Console Menu Requirements ● Physical Keyboard/Video console – Firewall hardware must have video output, keyboard attached ● Serial Console – Device must have a serial port or similar console port ● Devices with a traditional DB9 or RJ45 style serial port must use COM1 ● Null modem serial cable or adapter ● Client must also have a serial port or USB/Serial converter – http://store.netgate.com/Serial-NULL-Modem-RS232-Cable-Kit-P2165.aspx – SG devices have a Micro USB console port that acts as a USB/Serial converter on COM2 ● Only a micro-USB cable, such as an Android device cable, is required – Serial console must be enabled on pfSense ● Defaults to enabled for SG devices or devices installed from the serial memstick ● Enabled in the GUI for others ● SSH – SSH must be enabled on the firewall – Firewall rules must allow access ● All types: – When setting up a terminal, default size is usually 24 rows, 80 columns ● This size works best for the installer – For general use after installation, we recommend wider & taller terminals to show more information ● Example: 32 rows, 132 columns.
Physical Console Configuration ● Video console is always enabled if present ● Serial console may need to be enabled manually unless it is the only console ● System > Advanced, Admin Access tab – Serial Communications section ● Serial Terminal, check to enable – Box is hidden for devices that only have serial or which have serial forced on ● Serial Speed – No reason to use anything other than 115200 these days ● Primary Console – Kernel boot messages will go to all configured hardware consoles (video, serial) – Once the kernel passes off control to the OS boot scripts, only the primary console will receive output (e.g. pfSense boot output) – If the output stops after “Mounting root...” without a prompt, odds are you are not looking at the primary console – If an error is encountered during boot, such as interfaces need reassigned, only the primary console can be used to correct the problem – After bootup completes, all consoles receive a menu
SSH Console Access Setup ● System > Advanced, Admin Access tab, Secure Shell section ● Or use console menu option 14 if you have access to the video or serial console ● Check Enable Secure Shell – The firewall will generate SSH keys for the ssh daemon, which can take some time ● On SG-1000, this process can take about a minute and a half ● Authentication Method – Unchecked, passwords can be used ● All account passwords should be strong! ● Do not expose SSH to the Internet with password authentication allowed! – Checked, ssh keys are required for all accounts ● Immune to brute force attacks but requires more complex setup and management ● Keys must be generated on the client (e.g. with ssh-keygen ) and then pasted into the account settings ● SSH port, defaults to 22 – Moving the port does not offer a significant security advantage on its own ● Add firewall rules to allow access – Do not expose SSH to the world if you can help it!
Accessing the Console Menu Keyboard/Video ● Turn on the monitor, use the keyboard (simple) ● Switch to the KVM port, etc ● May also be accessible using IPMI, DRAC, iLO or similar, depending on the hardware
Accessing the Console Menu Serial Console ● Connect the serial cable to the client – If it is a USB/Serial cable, ensure it was detected properly by the OS – Install drivers if necessary ● Locate the proper client serial port – On Windows, Check device manager ● PC Name > Ports (COM & LPT), [Name/Type] (COMx) ● Physical DB9 port is likely COM1, maybe COM2 ● Typically COM3, COM4, or COM5 for USB – Linux ● Check log/dmesg output, most likely it is /dev/ttyUSBx – FreeBSD ● Check log/dmesg output, most likely is /dev/cuaUx – MAC ● Varies by serial cable OEM/type ● SG devices use /dev/cu.SLAB_USBtoUART
Accessing the Console Menu Serial Console ● Speed must match the speed configured on the previous page ● Client serial port settings: – Most clients use these settings by default, such as PuTTY and screen – 8 data bits – No parity – 1 stop bit – Flow Control: XON/XOFF or disabled ● RTS/CTS flow control must not be used! ● See also: https://portal.pfsense.org/docs/manuals/reference/sg-series-se rial-console.html
Accessing the Console Menu Serial Console ● Windows – Serial clients: PuTTY or SecureCRT ● PuTTY Download URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ● Open PuTTY – Select Serial for Connection Type – Enter the COM port in Serial Line, such as COM3, COM5, etc. – DO NOT USE HYPERTERMINAL! ● Linux – Serial clients: screen, PuTTY, minicom, or dterm, – sudo screen /dev/ttyUSB0 115200 ● FreeBSD – Serial clients: screen, cu, or tip – sudo screen /dev/cuaU0 115200 ● MAC – Serial clients: screen, Zterm, or cu – sudo screen /dev/cu.SLAB_USBtoUART 115200 – May need -U passed to screen to work around character encoding issues
Accessing the Console Menu SSH ● Windows – Clients: PuTTY, SecureCRT, mRemoteNG, cygwin CLI ssh, 10AU+Ubuntu Bash CLI ssh ● Linux/FreeBSD – Clients: PuTTY, CLI ssh, PAC ● MAC – Clients: Terminal, iTerm2 ● Client must be recent and support the key exchange, cipher, and MAC requirements on pfSense ● From the CLI it’s the same on any OS: – ssh username@192.168.1.1 ● GUI clients must be set to connect to the firewall IP address on the correct port, with the expected username ● For key-based authentication, consult the client documentation ● If the client does not work, update it and try again – Current versions of PuTTY, SecureCRT, and others work well, older versions do not
Console Menu Tasks ● 0) Logout (SSH Only) – Ends the current SSH session – Pressing enter without entering an option will also close the SSH session, as will using CTRL-D
Console Menu Tasks ● 1) Assign Interfaces – Prompts the user to wipe the existing interface configuration and start over with new interface assignments – This is the same procedure that is triggered during boot when the available physical/virtual interfaces do not match the assigned interfaces – Can create VLANs, but not other special interface types (e.g. LAGG) – Lists all available interfaces and VLANs for assignment ● For physical interfaces, MAC addresses are printed in the list – At least one interface must be assigned (WAN) – Press enter without typing an interface name to stop
Console Menu Tasks ● 2) Set interface(s) IP address – Set an IP address for any firewall interface – Can configure static addresses or DHCP – For static addresses: ● Prompts for the IP address, subnet mask, and optional gateway ● Prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range if it is enabled – If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP in case SSL is not functional – Enables the anti-lockout rule in case the user has been locked out of the GUI
Console Menu Tasks ● 3) Reset webConfigurator Password – Resets the admin account password back to “pfsense” – If the GUI authentication source is RADIUS/LDAP, the script prompts to reset as Local Database – If the admin account has been removed, the script re-creates the account – If the admin account is disabled, the script re- enables the account
Console Menu Tasks ● 4) Reset to factory defaults – Restores the system configuration back to its factory default (/conf.default/config.xml) – Attempts to remove non-default packages – Does not make any filesystem changes – A wipe and reload may be a better choice if anything other than the configuration needs to be reset
Console Menu Tasks ● 5) Reboot system – Shuts down the firewall cleanly and performs a clean restart – 2.4 adds a few new options: ● Reboot normally ● Reroot – A quicker restart that doesn’t reload the kernel – Kills processes, remounts filesystems, runs startup sequence ● Reboot into Single User Mode – Needs console access ● Reboot and run a filesystem check – Runs fsck on the root slice 5x
Console Menu Tasks ● 6) Halt System – Cleanly shuts down the firewall – Stops all processes – Synchronizes all filesystems – Attempts to power off the firewall if the hardware is capable – Always use this option or its GUI equivalent when turning off the firewall ● Never abruptly disconnect power!
Console Menu Tasks ● 7) Ping Host – Sends three ICMP echo requests to a target and displays the results – When passed an IPv4 address or a hostname, it uses ping – When passed an IPv6 address it uses ping6 ● 8) Shell – Starts a tcsh shell and presents a shell prompt – Will cover this more later
Console Menu Tasks ● 9) pfTop – Invokes pfTop for a real-time view of firewall state table activity – Has a variety of views to help spot connections passing a lot of data, for example – Use 0-8 to select a view directly – The view can be sorted in a variety of ways – Press ? To see help which shows all of the keyboard shortcuts
Console Menu Tasks ● 10) Filter Logs – Runs (essentially) a “tail” on the filter log file – Log entries are presented in raw format ● https://doc.pfsense.org/index.php/Filter_Log_Format_for_pf Sense_2.2 – For a simpler real-time view, run this from the shell: ● clog -f /var/log/filter.log | filterparser.php ● 11) Restart webConfigurator – Restarts the nginx instance that runs the WebGUI – Usually needs option 16 run as well to restart PHP- FPM
Console Menu Tasks ● 12) PHP Shell + pfSense tools – Starts an interactive PHP shell that runs in a similar context to the firewall GUI – Will cover more later ● 13) Update from the console – Attempts to run an OS update, the same as from the GUI ● 14) Enable/Disable Secure Shell – Toggles the state of the SSH daemon, as covered earlier
Console Menu Tasks ● 15) Restore Recent Configuration – Similar to the configuration history in the GUI – Lists recent configuration changes and offers to restore older configurations – Useful for stepping back to a working configuration after a change that had a negative impact – Does not apply changes, needs a reboot to fully take effect ● 16) Restart PHP-FPM – Stops and restarts the daemon which handles PHP processes for nginx – If the GUI web server process is running but unable to execute PHP scripts, invoke this option – Helps restore GUI access when it fails with 5xx nginx errors such as 502 / “Bad Gateway”
Console Menu Tasks ● Option 99 (SG-1000 booted from SD card only) – When running certain images on the SG-1000 loaded to an SD card, this option is present on the menu – When invoked, it copies the running system to the eMMC – After it completes, power off the firewall and remove the SD card to run from eMMC ● Hidden menu option 100 – Launches “links”, a command-line text-based web browser and attempts to connect to the firewall GUI – No JS support, so use is limited – After login, press ‘g’ and go to the firewall URL /index.php
Using the PHP Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● Console menu option 12 invokes the PHP Shell ● Can interact with the configuration and the running system as a whole ● Primarily useful to developers and very advanced users ● Runs in a context similar to the GUI – Can read the configuration from $config, globals from $g, and so on. – Can write the configuration if necessary – “Apply” action is trickier, would need to call specific functions directly, so not recommended ● Supports session recording and playback, playback is the most useful feature ● pfSense ships with a number of useful default playback scripts
PHP Shell – Running Commands ● Type “help” for command examples and information ● Each block of commands must be followed by “exec” on a new line to execute the code ● Type “exit” or use CTRL-C to return to the menu ● Example that dumps the LAN DHCP settings: pfSense Shell: var_dump($config['dhcpd']['lan']); pfSense Shell: exec
PHP Shell – Playback Scripts ● Use from option 12 with “playback <scriptname> [options]” ● Use from the shell with: “pfSsh.php playback <scriptname> [options]” ● Some playback scripts have options, others do not – Most are coded friendly enough to print a help message if they need options that are not given
PHP Shell – Playback Scripts ● changepassword – Changes the password for a user ● Username can be supplied as an optional argument, will prompt if nothing is given – Resets account properties if it is disabled or expired ● enablecarp / disablecarp – Enable/disable CARP functions for troubleshooting purposes, same as the GUI button – Does not persist ● enablecarpmaint / disablecarpmaint – Enters/exits CARP maintenance mode, same as the GUI button – Persists across reboots – Demotes unit, does not disable CARP ● disabledhcpd – Removes all DHCP server configuration from all interfaces on the firewall and stops the DHCP service ● disablereferercheck – Disables HTTP_REFERER verification – Useful when the GUI cannot be reached due to the method used by the client
PHP Shell – Playback Scripts ● enableallowallwan – Adds an “allow all” rule to the WAN, meant as a VERY temporary measure to regain access to the GUI in cases when the LAN is unavaiable – Primarily used with lab virtual machines that have disconnected LANs or no LAN-side client available ● enablesshd – Enables the SSH daemon, same as the GUI checkbox or the console menu option ● externalconfiglocator – Invokes the external configuration locater which attempts to find a config.xml on an attached removable disk ● gatewaystatus – Prints the gateway status formatted for the terminal (New in 2.4) ● generateguicert – Generates and activates a new certificate for the GUI using the current firewall hostname and other parameters – Very useful for generating new certificates to replace old GUI certificates from 2.0.x and earlier that had generic properties, which now cause problems in Firefox ● gitsync – A complex script used to copy down recent commits from github to the firewall to catch up on changes – Primarily useful for tracking small code changes between development snapshots – Does not update binaries, use with caution
PHP Shell – Playback Scripts ● installpkg / listpkg / uninstallpkg – Manipulates packages – Not useful on 2.3+ as using “pkg” directly has the same effect ● pfanchordrill – Recursively searches through pf anchors and prints any NAT or firewall rules it finds – Useful for debugging services that rely on anchors like UPnP or relayd ● pftabledrill – Prints the contents of all pf tables (aliases, built-in tables, etc) – Useful for finding an address across all aliases, especially with dynamic aliases (FQDNs, URL tables, etc) ● removepkgconfig – Removes all package configuration from config.xml but does not uninstall packages – Can return config.xml to a usable state, but the OS packages can mismatch
PHP Shell – Playback Scripts ● removeshaper – Removes all ALTQ queues and rules generated by the shaper wizard – Useful if the ALTQ configuration is causing problems with network connectivity and the GUI cannot be reached ● resetwebgui – Resets the GUI theme, dashboard widgets, and menu configuration back to default ● restartdhcpd – Stops and starts the DHCP daemon ● restartipsec – Reloads the strongSwan configuration for IPsec
PHP Shell – Playback Scripts ● svc – Controls services similar to Status > Services in the GUI – playback svc <action> <service name> [service-specific options] – The action can be stop, start, or restart. – The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes. – The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries. – Examples: ● Stop bsnmpd: – pfSsh.php playback svc stop bsnmpd ● Restart OpenVPN server with ID 1: – pfSsh.php playback svc restart openvpn server 1 ● Start the Captive Poral process for zone “Guests”: – pfSsh.php playback svc start captiveportal Guests
Using the tcsh Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● A majority of common utilities are present and can be used for troubleshooting or gathering information, among other uses ● The shell invoked from console menu option 8 is tcsh and those familiar with FreeBSD will be at home, with some caveats – Some common shell utilities are not present due to size and/or security constraints – No compiler environment – No man/info pages – Do not attempt to make permanent changes to daemon configurations as they will likely be overwritten by pfSense when settings are synchronized or at the next reboot ● Consult FreeBSD or general UNIX shell documentation for specifics
Using the tcsh Shell ● Bash is also available via “pkg add bash” if desired ● Do not use the firewall as a general purpose UNIX shell server, only allow shell access to firewall administrators ● Use the sudo package to grant non-root users access to run programs as root ● Files can be copied to/from the firewall using scp with the “root” user – FileZilla or the command line scp are the best clients
Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc

Recommandé

DHCP PROTOCOL
DHCP PROTOCOLDHCP PROTOCOL
DHCP PROTOCOL
atharvakale07
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Anil Kumar Pugalia
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
Netgate
 
Dhcp
DhcpDhcp
Dhcp
Tapan Khilar
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commands
Robin Rohit
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
User Administration in Linux
User Administration in LinuxUser Administration in Linux
User Administration in Linux
SAMUEL OJO
 
ALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configurationALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configuration
Wahyu Nasution
 

Recommandé

DHCP PROTOCOL
DHCP PROTOCOLDHCP PROTOCOL
DHCP PROTOCOL
atharvakale07
 
Linux Memory Management
Linux Memory ManagementLinux Memory Management
Linux Memory Management
Anil Kumar Pugalia
 
DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016DHCP Server - pfSense Hangout September 2016
DHCP Server - pfSense Hangout September 2016
Netgate
 
Dhcp
DhcpDhcp
Dhcp
Tapan Khilar
 
Cisco router-commands
Cisco router-commandsCisco router-commands
Cisco router-commands
Robin Rohit
 
Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017Let's Encrypt - pfSense Hangout April 2017
Let's Encrypt - pfSense Hangout April 2017
Netgate
 
User Administration in Linux
User Administration in LinuxUser Administration in Linux
User Administration in Linux
SAMUEL OJO
 
ALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configurationALU 7360 5520_gpon_basic_configuration
ALU 7360 5520_gpon_basic_configuration
Wahyu Nasution
 
Filepermissions in linux
Filepermissions in linuxFilepermissions in linux
Filepermissions in linux
Subashini Pandiarajan
 
Group policy objects
Group policy objectsGroup policy objects
Group policy objects
MianMuhammadMuaz
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
Netgate
 
ISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedure
Wahyu Nasution
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
Kevin OBrien
 
Mininet demo
Mininet demoMininet demo
Mininet demo
Momina Masood
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
Gaurav Mishra
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
13 DHCP Configuration in Linux
13 DHCP Configuration in Linux13 DHCP Configuration in Linux
13 DHCP Configuration in Linux
Hameda Hurmat
 
Switching Concepts presentation
Switching Concepts presentationSwitching Concepts presentation
Switching Concepts presentation
zameer Abbas
 
acl configuration
acl configurationacl configuration
acl configuration
RandyDookheran1
 
Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
Tan Huynh Cong
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
Sasikumar Thirumoorthy
 
Installing and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by stepInstalling and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by step
Ahmed Abdelwahed
 
Linux booting process - Linux System Administration
Linux booting process - Linux System AdministrationLinux booting process - Linux System Administration
Linux booting process - Linux System Administration
Sreenatha Reddy K R
 
Linux administration
Linux administrationLinux administration
Linux administration
Yogesh Ks
 
Multiprocessor
Multiprocessor Multiprocessor
Multiprocessor
Irfan Khan
 
Cours eigrp i pv4 et ipv6
Cours eigrp i pv4 et ipv6Cours eigrp i pv4 et ipv6
Cours eigrp i pv4 et ipv6
EL AMRI El Hassan
 
Applications of Distributed Systems
Applications of Distributed SystemsApplications of Distributed Systems
Applications of Distributed Systems
sandra sukarieh
 
IBM PowerVM Virtualization Introduction and Configuration
IBM PowerVM Virtualization Introduction and ConfigurationIBM PowerVM Virtualization Introduction and Configuration
IBM PowerVM Virtualization Introduction and Configuration
IBM India Smarter Computing
 
User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
Netgate
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
Netgate
 

Contenu connexe

Tendances

13 DHCP Configuration in Linux
13 DHCP Configuration in Linux13 DHCP Configuration in Linux
13 DHCP Configuration in Linux
Hameda Hurmat
 

Tendances (20)

Filepermissions in linux
Filepermissions in linuxFilepermissions in linux
Filepermissions in linux
 
Group policy objects
Group policy objectsGroup policy objects
Group policy objects
 
Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017Dynamic Routing with FRR - pfSense Hangout December 2017
Dynamic Routing with FRR - pfSense Hangout December 2017
 
ISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedureISAM ALU 7360 5520_ihub_turn_up_procedure
ISAM ALU 7360 5520_ihub_turn_up_procedure
 
Linux Directory Structure
Linux Directory StructureLinux Directory Structure
Linux Directory Structure
 
Mininet demo
Mininet demoMininet demo
Mininet demo
 
Linux Run Level
Linux Run LevelLinux Run Level
Linux Run Level
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
13 DHCP Configuration in Linux
13 DHCP Configuration in Linux13 DHCP Configuration in Linux
13 DHCP Configuration in Linux
 
Switching Concepts presentation
Switching Concepts presentationSwitching Concepts presentation
Switching Concepts presentation
 
acl configuration
acl configurationacl configuration
acl configuration
 
Configuration DHCP
Configuration DHCPConfiguration DHCP
Configuration DHCP
 
Introduction to virtualization
Introduction to virtualizationIntroduction to virtualization
Introduction to virtualization
 
Installing and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by stepInstalling and configuring a dhcp on windows server 2016 step by step
Installing and configuring a dhcp on windows server 2016 step by step
 
Linux booting process - Linux System Administration
Linux booting process - Linux System AdministrationLinux booting process - Linux System Administration
Linux booting process - Linux System Administration
 
Linux administration
Linux administrationLinux administration
Linux administration
 
Multiprocessor
Multiprocessor Multiprocessor
Multiprocessor
 
Cours eigrp i pv4 et ipv6
Cours eigrp i pv4 et ipv6Cours eigrp i pv4 et ipv6
Cours eigrp i pv4 et ipv6
 
Applications of Distributed Systems
Applications of Distributed SystemsApplications of Distributed Systems
Applications of Distributed Systems
 
IBM PowerVM Virtualization Introduction and Configuration
IBM PowerVM Virtualization Introduction and ConfigurationIBM PowerVM Virtualization Introduction and Configuration
IBM PowerVM Virtualization Introduction and Configuration
 

Similaire à Console Menu - pfSense Hangout December 2016

User manual of n280
User manual of n280User manual of n280
User manual of n280
yogesh010
 
How to secure ubuntu 12.04
How to secure ubuntu 12.04 How to secure ubuntu 12.04
How to secure ubuntu 12.04
John Richard
 
HKG18-110 - net_mdev: Fast path user space I/O
HKG18-110 - net_mdev: Fast path user space I/OHKG18-110 - net_mdev: Fast path user space I/O
HKG18-110 - net_mdev: Fast path user space I/O
Linaro
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
EnclaveSecurity
 

Similaire à Console Menu - pfSense Hangout December 2016 (20)

User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015User Management and Privileges - pfSense Hangout February 2015
User Management and Privileges - pfSense Hangout February 2015
 
pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014pfSense 2.2 Preview - pfSense Hangout November 2014
pfSense 2.2 Preview - pfSense Hangout November 2014
 
Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014Alix to APU Conversion - pfSense Hangout October 2014
Alix to APU Conversion - pfSense Hangout October 2014
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacks
 
User manual of n280
User manual of n280User manual of n280
User manual of n280
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
 
Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015Remote Access VPNs - pfSense Hangout September 2015
Remote Access VPNs - pfSense Hangout September 2015
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
 
An Introduction To Linux
An Introduction To LinuxAn Introduction To Linux
An Introduction To Linux
 
Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
 
How to secure ubuntu 12.04
How to secure ubuntu 12.04 How to secure ubuntu 12.04
How to secure ubuntu 12.04
 
Think sync (July 20, 2003) 同期を考えよう
Think sync (July 20, 2003) 同期を考えようThink sync (July 20, 2003) 同期を考えよう
Think sync (July 20, 2003) 同期を考えよう
 
Embedded Linux Systems Basics
Embedded Linux Systems BasicsEmbedded Linux Systems Basics
Embedded Linux Systems Basics
 
Infrastructure Security
Infrastructure SecurityInfrastructure Security
Infrastructure Security
 
he-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdf
he-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdfhe-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdf
he-dieu-hanh_david-mazieres_l18-virtual-machines - [cuuduongthancong.com].pdf
 
HKG18-110 - net_mdev: Fast path user space I/O
HKG18-110 - net_mdev: Fast path user space I/OHKG18-110 - net_mdev: Fast path user space I/O
HKG18-110 - net_mdev: Fast path user space I/O
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
Automating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShellAutomating Post Exploitation with PowerShell
Automating Post Exploitation with PowerShell
 

Plus de Netgate

Plus de Netgate (20)

Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
Using Google Cloud Identity Secure LDAP with pfSense - Netgate Hangout Octobe...
 
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
pfSense 2.4.4 Short Topic Miscellany - pfSense Hangout August 2018
 
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
Configuring Netgate Appliance Integrated Switches on pfSense 2.4.4 - pfSense ...
 
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018Local DNS with pfSense 2.4 - pfSense Hangout April 2018
Local DNS with pfSense 2.4 - pfSense Hangout April 2018
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
 
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
RADIUS and LDAP on pfSense 2.4 - pfSense Hangout February 2018
 
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
User Management and Privileges on pfSense 2.4 - pfSense Hangout January 2018
 
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
Firewall Best Practices for VoIP on pfSense - pfSense Hangout October 2017
 
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
Certificate Management on pfSense 2.4 - pfSense Hangout September 2017
 
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
Backup and Restore with pfSense 2.4 - pfSense Hangout August 2017
 
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
Server Load Balancing on pfSense 2.4 - pfSense Hangout July 2017
 
Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017Advanced Captive Portal - pfSense Hangout June 2017
Advanced Captive Portal - pfSense Hangout June 2017
 
High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017High Availability on pfSense 2.4 - pfSense Hangout March 2017
High Availability on pfSense 2.4 - pfSense Hangout March 2017
 
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
Advanced OpenVPN Concepts on pfSense 2.4 & 2.3.3 - pfSense Hangout February 2017
 
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
Squid, SquidGuard, and Lightsquid on pfSense 2.3 & 2.4 - pfSense Hangout Janu...
 
OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016OpenVPN as a WAN - pfSense Hangout October 2016
OpenVPN as a WAN - pfSense Hangout October 2016
 
Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016Providing Local DNS with pfSense - pfSense Hangout August 2016
Providing Local DNS with pfSense - pfSense Hangout August 2016
 
High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016High Availability Part 2 - pfSense Hangout July 2016
High Availability Part 2 - pfSense Hangout July 2016
 
Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016Connectivity Troubleshooting - pfSense Hangout June 2016
Connectivity Troubleshooting - pfSense Hangout June 2016
 
NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016NAT on pfSense 2.3 - pfSense Hangout May 2016
NAT on pfSense 2.3 - pfSense Hangout May 2016
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Dernier (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Console Menu - pfSense Hangout December 2016

  • 1. Console Menu December 2016 Hangout Jim Pingle
  • 2. About this Hangout ● Project News ● Console Menu Access & Setup – Keyboard/Video Console – Serial Console – SSH ● Console Menu Options ● Using the PHP Shell ● Using the tcsh Shell
  • 3. Project News ● SG-1000 shipping, all backorders shipped! – Development and improvements are still ongoing – USB OTG port is now bootable with new snapshots ● Switch framework from SG-1000 (Interfaces > Switches) to be used for future products including large numbers of switch ports – https://blog.pfsense.org/?p=2174 ● Enterprise Support coming in January – Three choices, yearly, per-device, non-incident ● pfSense Code Audit – Audit was performed by an independent consulting firm – Results were excellent – Full details will be posted soon on the Netgate & pfSense blogs
  • 4. Console Menu Requirements ● Physical Keyboard/Video console – Firewall hardware must have video output, keyboard attached ● Serial Console – Device must have a serial port or similar console port ● Devices with a traditional DB9 or RJ45 style serial port must use COM1 ● Null modem serial cable or adapter ● Client must also have a serial port or USB/Serial converter – http://store.netgate.com/Serial-NULL-Modem-RS232-Cable-Kit-P2165.aspx – SG devices have a Micro USB console port that acts as a USB/Serial converter on COM2 ● Only a micro-USB cable, such as an Android device cable, is required – Serial console must be enabled on pfSense ● Defaults to enabled for SG devices or devices installed from the serial memstick ● Enabled in the GUI for others ● SSH – SSH must be enabled on the firewall – Firewall rules must allow access ● All types: – When setting up a terminal, default size is usually 24 rows, 80 columns ● This size works best for the installer – For general use after installation, we recommend wider & taller terminals to show more information ● Example: 32 rows, 132 columns.
  • 5. Physical Console Configuration ● Video console is always enabled if present ● Serial console may need to be enabled manually unless it is the only console ● System > Advanced, Admin Access tab – Serial Communications section ● Serial Terminal, check to enable – Box is hidden for devices that only have serial or which have serial forced on ● Serial Speed – No reason to use anything other than 115200 these days ● Primary Console – Kernel boot messages will go to all configured hardware consoles (video, serial) – Once the kernel passes off control to the OS boot scripts, only the primary console will receive output (e.g. pfSense boot output) – If the output stops after “Mounting root...” without a prompt, odds are you are not looking at the primary console – If an error is encountered during boot, such as interfaces need reassigned, only the primary console can be used to correct the problem – After bootup completes, all consoles receive a menu
  • 6. SSH Console Access Setup ● System > Advanced, Admin Access tab, Secure Shell section ● Or use console menu option 14 if you have access to the video or serial console ● Check Enable Secure Shell – The firewall will generate SSH keys for the ssh daemon, which can take some time ● On SG-1000, this process can take about a minute and a half ● Authentication Method – Unchecked, passwords can be used ● All account passwords should be strong! ● Do not expose SSH to the Internet with password authentication allowed! – Checked, ssh keys are required for all accounts ● Immune to brute force attacks but requires more complex setup and management ● Keys must be generated on the client (e.g. with ssh-keygen ) and then pasted into the account settings ● SSH port, defaults to 22 – Moving the port does not offer a significant security advantage on its own ● Add firewall rules to allow access – Do not expose SSH to the world if you can help it!
  • 7. Accessing the Console Menu Keyboard/Video ● Turn on the monitor, use the keyboard (simple) ● Switch to the KVM port, etc ● May also be accessible using IPMI, DRAC, iLO or similar, depending on the hardware
  • 8. Accessing the Console Menu Serial Console ● Connect the serial cable to the client – If it is a USB/Serial cable, ensure it was detected properly by the OS – Install drivers if necessary ● Locate the proper client serial port – On Windows, Check device manager ● PC Name > Ports (COM & LPT), [Name/Type] (COMx) ● Physical DB9 port is likely COM1, maybe COM2 ● Typically COM3, COM4, or COM5 for USB – Linux ● Check log/dmesg output, most likely it is /dev/ttyUSBx – FreeBSD ● Check log/dmesg output, most likely is /dev/cuaUx – MAC ● Varies by serial cable OEM/type ● SG devices use /dev/cu.SLAB_USBtoUART
  • 9. Accessing the Console Menu Serial Console ● Speed must match the speed configured on the previous page ● Client serial port settings: – Most clients use these settings by default, such as PuTTY and screen – 8 data bits – No parity – 1 stop bit – Flow Control: XON/XOFF or disabled ● RTS/CTS flow control must not be used! ● See also: https://portal.pfsense.org/docs/manuals/reference/sg-series-se rial-console.html
  • 10. Accessing the Console Menu Serial Console ● Windows – Serial clients: PuTTY or SecureCRT ● PuTTY Download URL: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html ● Open PuTTY – Select Serial for Connection Type – Enter the COM port in Serial Line, such as COM3, COM5, etc. – DO NOT USE HYPERTERMINAL! ● Linux – Serial clients: screen, PuTTY, minicom, or dterm, – sudo screen /dev/ttyUSB0 115200 ● FreeBSD – Serial clients: screen, cu, or tip – sudo screen /dev/cuaU0 115200 ● MAC – Serial clients: screen, Zterm, or cu – sudo screen /dev/cu.SLAB_USBtoUART 115200 – May need -U passed to screen to work around character encoding issues
  • 11. Accessing the Console Menu SSH ● Windows – Clients: PuTTY, SecureCRT, mRemoteNG, cygwin CLI ssh, 10AU+Ubuntu Bash CLI ssh ● Linux/FreeBSD – Clients: PuTTY, CLI ssh, PAC ● MAC – Clients: Terminal, iTerm2 ● Client must be recent and support the key exchange, cipher, and MAC requirements on pfSense ● From the CLI it’s the same on any OS: – ssh username@192.168.1.1 ● GUI clients must be set to connect to the firewall IP address on the correct port, with the expected username ● For key-based authentication, consult the client documentation ● If the client does not work, update it and try again – Current versions of PuTTY, SecureCRT, and others work well, older versions do not
  • 12. Console Menu Tasks ● 0) Logout (SSH Only) – Ends the current SSH session – Pressing enter without entering an option will also close the SSH session, as will using CTRL-D
  • 13. Console Menu Tasks ● 1) Assign Interfaces – Prompts the user to wipe the existing interface configuration and start over with new interface assignments – This is the same procedure that is triggered during boot when the available physical/virtual interfaces do not match the assigned interfaces – Can create VLANs, but not other special interface types (e.g. LAGG) – Lists all available interfaces and VLANs for assignment ● For physical interfaces, MAC addresses are printed in the list – At least one interface must be assigned (WAN) – Press enter without typing an interface name to stop
  • 14. Console Menu Tasks ● 2) Set interface(s) IP address – Set an IP address for any firewall interface – Can configure static addresses or DHCP – For static addresses: ● Prompts for the IP address, subnet mask, and optional gateway ● Prompts to enable or disable DHCP service for an interface, and to set the DHCP IP address range if it is enabled – If the firewall GUI is configured for HTTPS, the menu prompts to switch to HTTP in case SSL is not functional – Enables the anti-lockout rule in case the user has been locked out of the GUI
  • 15. Console Menu Tasks ● 3) Reset webConfigurator Password – Resets the admin account password back to “pfsense” – If the GUI authentication source is RADIUS/LDAP, the script prompts to reset as Local Database – If the admin account has been removed, the script re-creates the account – If the admin account is disabled, the script re- enables the account
  • 16. Console Menu Tasks ● 4) Reset to factory defaults – Restores the system configuration back to its factory default (/conf.default/config.xml) – Attempts to remove non-default packages – Does not make any filesystem changes – A wipe and reload may be a better choice if anything other than the configuration needs to be reset
  • 17. Console Menu Tasks ● 5) Reboot system – Shuts down the firewall cleanly and performs a clean restart – 2.4 adds a few new options: ● Reboot normally ● Reroot – A quicker restart that doesn’t reload the kernel – Kills processes, remounts filesystems, runs startup sequence ● Reboot into Single User Mode – Needs console access ● Reboot and run a filesystem check – Runs fsck on the root slice 5x
  • 18. Console Menu Tasks ● 6) Halt System – Cleanly shuts down the firewall – Stops all processes – Synchronizes all filesystems – Attempts to power off the firewall if the hardware is capable – Always use this option or its GUI equivalent when turning off the firewall ● Never abruptly disconnect power!
  • 19. Console Menu Tasks ● 7) Ping Host – Sends three ICMP echo requests to a target and displays the results – When passed an IPv4 address or a hostname, it uses ping – When passed an IPv6 address it uses ping6 ● 8) Shell – Starts a tcsh shell and presents a shell prompt – Will cover this more later
  • 20. Console Menu Tasks ● 9) pfTop – Invokes pfTop for a real-time view of firewall state table activity – Has a variety of views to help spot connections passing a lot of data, for example – Use 0-8 to select a view directly – The view can be sorted in a variety of ways – Press ? To see help which shows all of the keyboard shortcuts
  • 21. Console Menu Tasks ● 10) Filter Logs – Runs (essentially) a “tail” on the filter log file – Log entries are presented in raw format ● https://doc.pfsense.org/index.php/Filter_Log_Format_for_pf Sense_2.2 – For a simpler real-time view, run this from the shell: ● clog -f /var/log/filter.log | filterparser.php ● 11) Restart webConfigurator – Restarts the nginx instance that runs the WebGUI – Usually needs option 16 run as well to restart PHP- FPM
  • 22. Console Menu Tasks ● 12) PHP Shell + pfSense tools – Starts an interactive PHP shell that runs in a similar context to the firewall GUI – Will cover more later ● 13) Update from the console – Attempts to run an OS update, the same as from the GUI ● 14) Enable/Disable Secure Shell – Toggles the state of the SSH daemon, as covered earlier
  • 23. Console Menu Tasks ● 15) Restore Recent Configuration – Similar to the configuration history in the GUI – Lists recent configuration changes and offers to restore older configurations – Useful for stepping back to a working configuration after a change that had a negative impact – Does not apply changes, needs a reboot to fully take effect ● 16) Restart PHP-FPM – Stops and restarts the daemon which handles PHP processes for nginx – If the GUI web server process is running but unable to execute PHP scripts, invoke this option – Helps restore GUI access when it fails with 5xx nginx errors such as 502 / “Bad Gateway”
  • 24. Console Menu Tasks ● Option 99 (SG-1000 booted from SD card only) – When running certain images on the SG-1000 loaded to an SD card, this option is present on the menu – When invoked, it copies the running system to the eMMC – After it completes, power off the firewall and remove the SD card to run from eMMC ● Hidden menu option 100 – Launches “links”, a command-line text-based web browser and attempts to connect to the firewall GUI – No JS support, so use is limited – After login, press ‘g’ and go to the firewall URL /index.php
  • 25. Using the PHP Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● Console menu option 12 invokes the PHP Shell ● Can interact with the configuration and the running system as a whole ● Primarily useful to developers and very advanced users ● Runs in a context similar to the GUI – Can read the configuration from $config, globals from $g, and so on. – Can write the configuration if necessary – “Apply” action is trickier, would need to call specific functions directly, so not recommended ● Supports session recording and playback, playback is the most useful feature ● pfSense ships with a number of useful default playback scripts
  • 26. PHP Shell – Running Commands ● Type “help” for command examples and information ● Each block of commands must be followed by “exec” on a new line to execute the code ● Type “exit” or use CTRL-C to return to the menu ● Example that dumps the LAN DHCP settings: pfSense Shell: var_dump($config['dhcpd']['lan']); pfSense Shell: exec
  • 27. PHP Shell – Playback Scripts ● Use from option 12 with “playback <scriptname> [options]” ● Use from the shell with: “pfSsh.php playback <scriptname> [options]” ● Some playback scripts have options, others do not – Most are coded friendly enough to print a help message if they need options that are not given
  • 28. PHP Shell – Playback Scripts ● changepassword – Changes the password for a user ● Username can be supplied as an optional argument, will prompt if nothing is given – Resets account properties if it is disabled or expired ● enablecarp / disablecarp – Enable/disable CARP functions for troubleshooting purposes, same as the GUI button – Does not persist ● enablecarpmaint / disablecarpmaint – Enters/exits CARP maintenance mode, same as the GUI button – Persists across reboots – Demotes unit, does not disable CARP ● disabledhcpd – Removes all DHCP server configuration from all interfaces on the firewall and stops the DHCP service ● disablereferercheck – Disables HTTP_REFERER verification – Useful when the GUI cannot be reached due to the method used by the client
  • 29. PHP Shell – Playback Scripts ● enableallowallwan – Adds an “allow all” rule to the WAN, meant as a VERY temporary measure to regain access to the GUI in cases when the LAN is unavaiable – Primarily used with lab virtual machines that have disconnected LANs or no LAN-side client available ● enablesshd – Enables the SSH daemon, same as the GUI checkbox or the console menu option ● externalconfiglocator – Invokes the external configuration locater which attempts to find a config.xml on an attached removable disk ● gatewaystatus – Prints the gateway status formatted for the terminal (New in 2.4) ● generateguicert – Generates and activates a new certificate for the GUI using the current firewall hostname and other parameters – Very useful for generating new certificates to replace old GUI certificates from 2.0.x and earlier that had generic properties, which now cause problems in Firefox ● gitsync – A complex script used to copy down recent commits from github to the firewall to catch up on changes – Primarily useful for tracking small code changes between development snapshots – Does not update binaries, use with caution
  • 30. PHP Shell – Playback Scripts ● installpkg / listpkg / uninstallpkg – Manipulates packages – Not useful on 2.3+ as using “pkg” directly has the same effect ● pfanchordrill – Recursively searches through pf anchors and prints any NAT or firewall rules it finds – Useful for debugging services that rely on anchors like UPnP or relayd ● pftabledrill – Prints the contents of all pf tables (aliases, built-in tables, etc) – Useful for finding an address across all aliases, especially with dynamic aliases (FQDNs, URL tables, etc) ● removepkgconfig – Removes all package configuration from config.xml but does not uninstall packages – Can return config.xml to a usable state, but the OS packages can mismatch
  • 31. PHP Shell – Playback Scripts ● removeshaper – Removes all ALTQ queues and rules generated by the shaper wizard – Useful if the ALTQ configuration is causing problems with network connectivity and the GUI cannot be reached ● resetwebgui – Resets the GUI theme, dashboard widgets, and menu configuration back to default ● restartdhcpd – Stops and starts the DHCP daemon ● restartipsec – Reloads the strongSwan configuration for IPsec
  • 32. PHP Shell – Playback Scripts ● svc – Controls services similar to Status > Services in the GUI – playback svc <action> <service name> [service-specific options] – The action can be stop, start, or restart. – The service name is the name of the services as found under Status > Services. If the name includes a space, enclose the name in quotes. – The service-specific options vary depending on the service, they are used to uniquely identify services with multiple instances, such as OpenVPN or Captive Portal entries. – Examples: ● Stop bsnmpd: – pfSsh.php playback svc stop bsnmpd ● Restart OpenVPN server with ID 1: – pfSsh.php playback svc restart openvpn server 1 ● Start the Captive Poral process for zone “Guests”: – pfSsh.php playback svc start captiveportal Guests
  • 33. Using the tcsh Shell ● Obligatory “Danger this is unsupported and could break stuff” warning ● A majority of common utilities are present and can be used for troubleshooting or gathering information, among other uses ● The shell invoked from console menu option 8 is tcsh and those familiar with FreeBSD will be at home, with some caveats – Some common shell utilities are not present due to size and/or security constraints – No compiler environment – No man/info pages – Do not attempt to make permanent changes to daemon configurations as they will likely be overwritten by pfSense when settings are synchronized or at the next reboot ● Consult FreeBSD or general UNIX shell documentation for specifics
  • 34. Using the tcsh Shell ● Bash is also available via “pkg add bash” if desired ● Do not use the firewall as a general purpose UNIX shell server, only allow shell access to firewall administrators ● Use the sudo package to grant non-root users access to run programs as root ● Files can be copied to/from the firewall using scp with the “root” user – FileZilla or the command line scp are the best clients
  • 35. Conclusion ● Questions? ● Ideas for hangout topics? Post on forum, comment on the blog posts, Reddit, etc