12 Replies Latest reply on Aug 8, 2012 4:39 PM by Steve Welsh

    Backup running config for OpenBSD PF Firewall

    kbuller

      Hello,

       

      I've been trying to get Kiwi Cattools to download the PF config file from an OpenBSD system. I have managed to get Kiwi Cattools to login to the machine via ssh but then it throws this cryptic error to the log:

       

      Login results = VTY: Failed, Enable: N/A, HostID: N/A

       

      Just hoping someone can guide me in the right direction. The help files say that the debug mode will help troubleshoot the problem. I'm not sure what to look for in the log. This is the output I get when I try the test login command:

       

      <NEWSESSION CatTools 3.5.0 7/10/2012 7:05:58 PM>

      <PROTOCOL=SSH2>

      <DEVICE TYPE=OpenBSD.PF.Firewall>

      <ACTIVITY TYPE=Device.ConnectivityTest.Login>

      <ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.ConnectivityTest.Login.txt>

      <USERS NAME FOR DEVICE=DSFW>

      <C OK 7:05:58 PM><R-7:05:58 PM>Last login: Tue Jul 10 18:09:13 2012 from 10.100.101.248[13][13][10]OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012[13][10][13][10]Welcome to OpenBSD: The proactively secure Unix-like operating system.[13][10][13][10]Please use the sendbug(1) utility to report bugs in the system.[13][10]Before reporting a bug, please try to reproduce it with the latest[13][10]version of the code.  With bug reports, please try to ensure that[13][10]enough information to reproduce the problem is enclosed, and if a[13][10]known fix for it exists, include that as well.[13][10][13][10][13][27][3g        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H[13][13]<W-7:05:58 PM>[13]<R-7:05:58 PM>[13][10]<R-7:05:59 PM># [13][13][10]# <D 7:05:59 PM>

      <SCRIPT VALUES>

      <HOSTNAME="">

      <PROMPT VTY="">

      <PROMPT ENABLE="">

      <PROMPT CONFIG="">

       

      On the line that thats out '<C OK', that includes the login banner that the system gives so I know it's getting logged in. After login, the prompt is just a "#" and I also see that on that line twice towards the end. These are the variables I have set in the script file for that device:

       

      Private Const DEVICE_STANDARDPROMPT = "#"

      Private Const DEVICE_PRIVILEGEDPROMPT = "#"

      Private Const DEVICE_CONFIGPROMPT = "#"

       

      Is it having trouble picking up on the # prompt?

       

      I appreciate any help. Thanks!

        • Re: Backup running config for OpenBSD PF Firewall
          Steve Welsh

          Hi,


          I'm presuming you are creating your own custom script here for the OpenBSD.PF.Firewall as it does not appear to be an "out-the-box" CatTools device type?


          From what I can tell from the debug log above, the device only requires SSH credentials to create a secure connection and there is no subsequent device authentication required post the successful SSH connection.


          What may therefore be happening is your script is trying to run the device authentication code (LoginStd or LoginAAA) after the LoginSSH()  function has returned 'true' status.


          I also noticed that there are a lot of ANSI Escape character sequence characters being returned by your device (which can cause parsing issues for CatTools).


          If you add the line:

             cl.StripVT100ESC = 1

          within the login() function (probably best after the cl.Initialise call and before the LoginSSH() function call) this will strip these characters out of the CatTools response buffer.



          Just one last.  Did you try the Generic.Device device type in CatTools at all?   Most of these types of issues can be override with the Device Variations feature which is implemented with the Generic.Device (although depending on what commands are required for the backup of the OpenBSD.PF.Firewall, the Generic.Device may not quite work - but its probably worth giving it a try).


          Steve


            • Re: Backup running config for OpenBSD PF Firewall
              kbuller

              Hi Steve,

               

              Yes, I am creating a custom device and script.

               

              Here's the debug output from trying General.Device:

               

              <NEWSESSION CatTools 3.5.0 7/10/2012 10:11:20 PM>

              <PROTOCOL=SSH2>

              <DEVICE TYPE=Generic.Device>

              <ACTIVITY TYPE=Device.ConnectivityTest.Login>

              <ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.ConnectivityTest.Login.txt>

              <USERS NAME FOR DEVICE=DSFWTEST>

              <C OK 10:11:21 PM><R-10:11:21 PM>Last login: Tue Jul 10 21:15:54 2012 from 10.100.101.248[13][13][10]OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012[13][10][13][10]Welcome to OpenBSD: The proactively secure Unix-like operating system.[13][10][13][10]Please use the sendbug(1) utility to report bugs in the system.[13][10]Before reporting a bug, please try to reproduce it with the latest[13][10]version of the code.  With bug reports, please try to ensure that[13][10]enough information to reproduce the problem is enclosed, and if a[13][10]known fix for it exists, include that as well.[13][10][13][10][13]                                                                        [13][13]<W-10:11:21 PM>[13]<R-10:11:21 PM>[13][10]<R-10:11:22 PM># [13][13][10]# <D 10:11:22 PM>

              <SCRIPT VALUES>

              <HOSTNAME="">

              <PROMPT VTY="">

              <PROMPT ENABLE="">

              <PROMPT CONFIG="">

               

              It looks very similar to the output I get from my custom script. The only difference I can see is the removal of the string of [27]H 's and replaced with white space.  I added cl.StripVT100ESC = 1 where you suggested in the script and actual produced the same output that the Generic.Device did (removal of the [27]H 's)

               

              In regards to Generic.Device and the commands to get the config, all I need it to do is run "cat /etc/pf.conf" to get the firewall config.

               

              Is there anything else I can try?

               

              And thanks for the help! I really appreciate it, I've been struggling with this thing for a while.

                • Re: Backup running config for OpenBSD PF Firewall
                  Steve Welsh

                  Aha, so it's a Linux based kernel?

                   

                  I think the Generic.Device may get you there, but you'll need to add a few overrides in the Variations as Generic.Device is written based on Cisco IOS.

                   

                  In the Device.Backup.Running Config activity, enter your cat /etc/pf.conf command in the Use alternate command: field in the activity Options tab.

                  You'll probably also need to override some script default values within the variations feature.

                   

                  In the Modify Output variation tab, select all the Strip... options.

                  In the Additional Commands variation tab, select the Disable paging and Enable paging options and clear out the adjacent text fields so they are empty.  This will prevent the Generic Device script from sending the 'terminal length 0' and terminal length 24' commands to disable and re-enable paging.

                   

                  Let me know how this works out.

                   

                  Steve

                    • Re: Backup running config for OpenBSD PF Firewall
                      kbuller

                      Yes, OpenBSD is a Unix/Linux variant.

                       

                      I found the check box to use an alternate command. I wasn't able to find the other settings you mentioned. I'm using version 3.5.0 of Cattools. Are those options available in that version?

                       

                      I turned off the paging in my custom OpenBSD.PF.Firewall script. Here's the variables section of the script, do these settings look right?

                       

                      Private Const SCRIPT_NAME = "Device Template"

                      Private Const DEVICE_USERNAMEPROMPT = "login as:"

                      Private Const DEVICE_PASSWORDPROMPT = "root's password:"

                      Private Const DEVICE_STANDARDPROMPT = "#"

                      Private Const DEVICE_PRIVILEGEDPROMPT = ""

                      Private Const DEVICE_CONFIGPROMPT = ""

                      Private Const DEVICE_MORETEXT = ":"

                       

                      Private Const DEVICE_INVALIDCOMMAND = ""    ' Get this by typing BlahBlahBlah<cr>

                      Private Const DEVICE_INCOMPLETECOMMAND = ""        ' Get this by typing Copy<cr>

                      Private Const DEVICE_YESNOTEXT = ""

                      Private Const DEVICE_CONFIGHEADERTEXT = ""    ' Text to trim off the top of a config output before saving it.  Set to "" if no header to remove.

                       

                      ' If device does not have a command then set to ""

                      Private Const COMMAND_ENTERENABLEMODE = ""

                      Private Const COMMAND_EXITENABLEMODE = ""

                      Private Const COMMAND_ENTERCONFIG = ""

                      Private Const COMMAND_EXITCONFIG = ""

                      Private Const COMMAND_DISABLEPAGING = ""

                      Private Const COMMAND_ENABLEPAGING = "" ' Set back to the device default of 24 lines per page

                      Private Const COMMAND_RUNNINGCONFIG = "cat /etc/pf.conf"

                      Private Const COMMAND_STARTUPCONFIG = "cat /etc/pf.conf"

                      Private Const COMMAND_SAVENVRAM = ""

                      Private Const COMMAND_DISCONNECT = "exit"  ' * The command used to end the session on the device (logout/logoff/exit, etc.)

                      Private Const COMMAND_TIMEOUT = 30  ' in seconds.  It is not recommended you alter this default value.

                       

                      Thanks,

                      Kevin

                        • Re: Backup running config for OpenBSD PF Firewall
                          kbuller

                          Is there anything else I can do or a work around to this problem? I'm about to give up and pursue another option like Rancid.

                            • Re: Backup running config for OpenBSD PF Firewall
                              Steve Welsh

                              Hi Kevin,

                               

                              The other options I was referring to above are specifically in the Device Variations feature which was implemented in CatTools v3.5.0, but only for the Generic.Device device type.

                               

                              Can you try using the Generic.Device device type for you device and set the variations as I mentioned above (and the 'Use alternate command' option too for the Device.Backup.Running Config activity), and see how you go.

                               

                              Device Variations is a device specific feature, whereas the 'Use alternate command' option is activity specific (as you have found).

                               

                              Please post back if this works.

                               

                              Steve

                                • Re: Backup running config for OpenBSD PF Firewall
                                  kbuller

                                  Thanks for the reply Steve. I got the variations config figured out. I had to add a variations file in the variations directory (no tab exists like in that help document for v3.5). Good news is that got me past the login problem. Now when I try to run the device backup, I get this output:

                                   

                                  Screen Shot 2012-07-15 at 2.30.23 PM.png

                                   

                                  This is what I get in the debug log after running it, the config does come across (I had to truncate that section though).

                                   

                                  <NEWSESSION CatTools 3.5.0 7/15/2012 2:24:18 PM>

                                  <PROTOCOL=SSH2>

                                  <DEVICE TYPE=Generic.Device>

                                  <ACTIVITY TYPE=Device.Backup.Running Config>

                                  <ACTIVITY SCRIPT=C:\Program Files\CatTools3\Scripts\Client.Device.Backup.Running Config.txt>

                                  <USERS NAME FOR DEVICE=TEST>

                                  <C OK 2:24:18 PM><R-2:24:18 PM>Last login: Sun Jul 15 13:27:53 2012 from 10.100.101.248[13][13][10]OpenBSD 5.1 (GENERIC.MP) #207: Sun Feb 12 09:42:14 MST 2012[13][10][13][10]Welcome to OpenBSD: The proactively secure Unix-like operating system.[13][10][13][10]Please use the sendbug(1) utility to report bugs in the system.[13][10]Before reporting a bug, please try to reproduce it with the latest[13][10]version of the code.  With bug reports, please try to ensure that[13][10]enough information to reproduce the problem is enclosed, and if a[13][10]known fix for it exists, include that as well.[13][10][13][10][13][27][3g        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H        [27]H[13][13]<W-2:24:19 PM>cat /etc/pf.conf<R-2:24:19 PM>cat /etc/pf.conf<W-2:24:19 PM>[13]<R-2:24:19 PM>[13][10]<R-2:24:19 PM># cat /etc/pf.conf[13][13][10]#       $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $[13][10]#[13][10]# See pf.conf(5) for syntax and examples.[13][10]# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1[13][10]# in /etc/sysctl.conf if packets are to be forwarded between interfaces# Block all other traffic not specified in rules[13][10]block in log on $ExtIf[13][10]block out log on $ExtIf[13][10]# <W-2:24:20 PM> <R-2:24:20 PM>

                                  ================================================================================

                                  WFMDRetVal=1 Waiting for: ":"

                                  WFMDRetVal=18 Waiting for: "#"

                                  WFMDRetVal=19 Waiting for: "#"

                                  WFMDRetVal=20 Waiting for: "#"

                                  WFMDBuffer=" "

                                  ================================================================================

                                  <W-2:24:50 PM>exit[13]<D 2:24:50 PM>

                                  <SCRIPT VALUES>

                                  <HOSTNAME="">

                                  <PROMPT VTY="#">

                                  <PROMPT ENABLE="#">

                                  <PROMPT CONFIG="#">

                                   

                                  This is what I put in the variations file:

                                   

                                  DEVICE_USERNAMEPROMPT = "login as:"

                                  DEVICE_PASSWORDPROMPT = "root's password:"

                                  DEVICE_STANDARDPROMPT = "# "

                                  DEVICE_PRIVILEGEDPROMPT = "#"

                                  DEVICE_CONFIGPROMPT = "#"

                                  DEVICE_MORETEXT = ":"

                                   

                                  DEVICE_INVALIDCOMMAND = ""    ' Get this by typing BlahBlahBlah<cr>

                                  DEVICE_INCOMPLETECOMMAND = ""        ' Get this by typing Copy<cr>

                                  DEVICE_YESNOTEXT = ""

                                  DEVICE_CONFIGHEADERTEXT = ""    ' Text to trim off the top of a config output before saving it.  Set to "" if no header to remove.

                                   

                                  DEVICE_VTYPROMPT = "#"

                                  FULL_VTYPROMPT = "#"

                                  FULL_ENABLEPROMPT = "#"

                                  FULL_CONFIGPROMPT = "#"

                                   

                                  ' If device does not have a command then set to ""

                                  COMMAND_ENTERENABLEMODE = ""

                                  COMMAND_EXITENABLEMODE = ""

                                  COMMAND_ENTERCONFIG = ""

                                  COMMAND_EXITCONFIG = ""

                                  COMMAND_DISABLEPAGING = ""

                                  COMMAND_ENABLEPAGING = "" ' Set back to the device default of 24 lines per page

                                  COMMAND_SAVENVRAM = ""

                                  COMMAND_DISCONNECT = "exit"

                                    • Re: Backup running config for OpenBSD PF Firewall
                                      Steve Welsh

                                      It's a little hard to tell without seeing the full debuglog, so you may want to send me this offline?

                                       

                                      If I had to take a guess, I'd say its the DEVICE_MORETEXT = ":" that you have specified that is causing the problem, as I can see CatTools is sending a ' ' (whitespace character) at the end of the debugfile which is probably the issue.

                                       

                                      Why are you setting the DEVICE_MORETEXT to ":"?

                                        • Re: Backup running config for OpenBSD PF Firewall
                                          kbuller

                                          That was it! I changed DEVICE+MORETEXT to = "" and it's running! Thanks so much.

                                           

                                          I had that set to ":" because if I piped a command to "more" it would have a ":" as the prompt. I figured that's what that variable meant, must have been something different. Makes no difference now anyway. Thanks again!

                                            • Re: Backup running config for OpenBSD PF Firewall
                                              kbuller

                                              One last question on this. Now that it's been running for a while, occasionally when it backups up the config on the Open BSD machine, it captures the command it issues to get the config "cat /etc/pf.conf". Is there anyway to prevent that?

                                               

                                              Thanks 

                                                • Re: Backup running config for OpenBSD PF Firewall
                                                  Steve Welsh

                                                  Hi Kevin,

                                                   

                                                  That's a bit strange that the command is intermittently being included in the config output.  The code should be stripping it off automatically every time.

                                                  Is there a chance that the command gets echo'd back after the CR is sent to execute it?

                                                   

                                                  If so, then that is the cause of problem.  

                                                   

                                                  One workaround which 'may' work for you is to enable the Config Header Text field variation in the Device Messages variations tab and enter the command you are sending as the header text.  CatTools will then hopefully strip this off the output before saving.

                                                   

                                                  Give this a try and post back your findings.

                                                   

                                                  Regards,

                                                   

                                                  Steve