[Frage] using voip_forwardrules to enable remote access to daemons on Freetz

[frater]

Only now I have taken the time to investigate how I can use voip_forwardrules to enable remote access.
Somehow I couldn't get it working.

It was also suspicious that port 5060 wasn't working either.
It now turns out that the firewall disables these rules when no voip is enabled.

Is there a workaround for this?
I would like to use that a firewall when there's no VoIP in use.

Or am I making it too difficult for myself and is there no need to use "voip_forwardrules" and can I use this same procedure with "internet_forwardrules" ???
I understand that I first need to enable remote access on the fritzbox and create a user that has remote access.
That's not a problem as I need to do that anyhow.
If there are no further downsides to using "internet_forwardrules" this way I will follow that route and adapt my provisioning script.

Here's the script I'm using to make my life a bit easier when I provision a new Fritzbox. The script survives a factory reset, which is a requirement for my use-case.

cat /etc/init.d/S90-provision

#!/bin/sh

REBOOT_REQUIRED=
FREETZ_INTERFACE=81818
SSH_REMOTE=52222
ZABBIX_SERVER=zabbix.yourowndomain.net
THIS_SCRIPT=/etc/init.d/S90-provision
LOG="/var/tmp/flash/${THIS_SCRIPT##*/}.log"

PUBLIC_KEYS=''

FORWARDS="        internet_forwardrules = \"tcp 0.0.0.0:${FREETZ_INTERFACE} 0.0.0.0:${FREETZ_INTERFACE} 0 # Freetz\",
                                \"tcp 0.0.0.0:${SSH_REMOTE} 0.0.0.0:22 0 # SSH\",
                                \"tcp 0.0.0.0:10050 0.0.0.0:10050 0 # Zabbix\","

FORWARD_TAIL="`echo "${FORWARDS}" | tail -n1 | sed 's/^ *//g'`"

[ `grep -c . ${LOG}` -gt 60 ] && tail -n40 ${LOG} >${LOG}

date >>${LOG}
echo "Start custom initialization running ${THIS_SCRIPT} ($0)" >>${LOG}
echo "Config version: ${CONFIG_VERSION}" >>${LOG}

CONFIG=/var/tmp/flash/authorized_keys_root/authorized_keys
# Add public keys if none are there
if [ ! -s ${CONFIG} ] ; then
  if [ -n "${PUBLIC_KEYS}" ] ; then
    mkdir /var/tmp/flash/authorized_keys_root
    echo "${PUBLIC_KEYS}" | egrep -v '^ *($|#)' >${CONFIG}
    REBOOT_REQUIRED=true
    echo "add public keys to ${CONFIG}" >>${LOG}
  fi
fi

CONFIG=/var/mod/etc/conf/dropbear.cfg
# Enable SSH
if grep -q "^export DROPBEAR_ENABLED='no'" ${CONFIG} ; then
  sed -i "s/^export DROPBEAR_ENABLED=.*/export DROPBEAR_ENABLED=\'yes\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "enable dropbear, change ${CONFIG}" >>${LOG}
fi

CONFIG=/var/mod/etc/conf/zabbix_agentd.cfg
# Change Zabbix server
if grep -q "^export ZABBIX_AGENTD_SERVER='zabbix.example.com.'" ${CONFIG} ; then
  sed -i "s/^export ZABBIX_AGENTD_SERVER=.*/export ZABBIX_AGENTD_SERVER=\'${ZABBIX_SERVER}\'/g" ${CONFIG}
  sed -i "s/^export ZABBIX_AGENTD_ENABLED=.*/export ZABBIX_AGENTD_ENABLED=\'yes\'/g" ${CONFIG}

  # REBOOT_REQUIRED=true
  echo "change ${CONFIG}" >>${LOG}
fi

CONFIG=/var/mod/etc/conf/mod.cfg
# Change Freetz interface to other port
if ! grep -q "^export MOD_HTTPD_PORT='${FREETZ_INTERFACE}'" ${CONFIG} ; then
  sed -i "s/^export MOD_HTTPD_PORT=.*/export MOD_HTTPD_PORT=\'${FREETZ_INTERFACE}\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "change MOD_HTTPD_PORT in ${CONFIG}" >>${LOG}
fi
# Make sure cron is turned on
if grep -q "^export MOD_CROND='no'" ${CONFIG} ; then
  sed -i "s/^export MOD_CROND=.*/export MOD_CROND=\'yes\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "change MOD_CROND in ${CONFIG}" >>${LOG}
fi

CONFIG=/var/tmp/flash/mod/crontab
# Add myself to crontab
if ! grep -q "${THIS_SCRIPT}" ${CONFIG} ; then
  echo "0 5 * * * ${THIS_SCRIPT}" >>${CONFIG}
  REBOOT_REQUIRED=true
  echo "Add ${THIS_SCRIPT} to ${CONFIG}" >>${LOG}
  killall -HUP crond
fi

CONFIG=/var/tmp/flash/sudo/sudoers
# Add myself to crontab
if ! grep -q "includedir" ${CONFIG} ; then
  mkdir /var/tmp/flash/sudo
  echo "## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d" >>${CONFIG}

  REBOOT_REQUIRED=true
  echo "change ${CONFIG}" >>${LOG}
fi


if ! pcplisten -? 2>/dev/null && echo pcplisten ; then
  CONFIG=/var/flash/ar7.cfg
  # Execute on old Fritz!box versions (up tu version 6.84)

  if grep -q 'internet_forwardrules = \"tcp' ${CONFIG} ; then
    if ! grep -A15 internet_forwardrules ${CONFIG} | grep -q "${FORWARD_TAIL}" ; then

      ctlmgr -s

      # write a modified at7.cfg to /tmp

      # all lines before "voip_forwardrules = "
      grep -B999999 internet_forwardrules ${CONFIG} | head -n-1 >/tmp/ar7.cfg
      # insert custom rules
      echo "${FORWARDS}" >>/tmp/ar7.cfg
      # restore first "voip_forwardrules = " line without "voip_forwardrules = " itself
      grep internet_forwardrules ${CONFIG} | sed 's/internet_forwardrules = /                        /g' >>/tmp/ar7.cfg
      # all lines after "voip_forwardrules = "
      grep -A999999 internet_forwardrules ${CONFIG} | tail -n+2 >>/tmp/ar7.cfg

      sed -i 's/two_factor_auth_enabled.*/two_factor_auth_enabled = no;/g' /tmp/ar7.cfg

      echo "Write internet_forwardrules to ${CONFIG}" >&2
      cat /tmp/ar7.cfg >${CONFIG}

      REBOOT_REQUIRED=true
      echo "change internet_forwardrules in ${CONFIG}" >>${LOG}
    fi
  fi
else
  # This will be executed on newer boxes supporting pcplisten

  CONFIG=/var/tmp/flash/iforwards.cfg

  # Execute on new Fritz!box versions (up tu version 7.xx)
  if [ ! -s ${CONFIG} ] ; then
    echo "tcp @ ${FREETZ_INTERFACE} * Freetz
tcp @ 10050 * Zabbix
tcp @ ${SSH_REMOTE} * SSH" >${CONFIG}
    modsave flash
    REBOOT_REQUIRED=true
    echo "change forwardrules in ${CONFIG}" >>${LOG}
  fi

  CONFIG=/var/tmp/flash/mod/crontab
  if ! grep -q iforwards ${CONFIG} ; then
    mkdir /var/tmp/flash/mod
    REBOOT_REQUIRED=true
    echo '*/3 * * * * /bin/ps | grep -q "[i]forwards" || (/sbin/iforwards &)' >>${CONFIG}
    echo "add /sbin/iforwards to ${CONFIG}" >>${LOG}
    killall -HUP crond
  fi

  CONFIG=/var/mod/etc/conf/dropbear.cfg
  if ! grep -q "DROPBEAR_PORT.*${SSH_REMOTE}" ${CONFIG} ; then
    REBOOT_REQUIRED=true
    sed -i "s/^export DROPBEAR_PORT=.*/export DROPBEAR_PORT=\'${SSH_REMOTE}\'/g" ${CONFIG}
    echo "change SSH port in ${CONFIG}" >>${LOG}
  fi

  CONFIG=/var/flash/ar7.cfg
  if ! grep -q "two_factor_auth_enabled.*no" ${CONFIG} ; then
    REBOOT_REQUIRED=true
    ctlmgr -s
    sed "s/two_factor_auth_enabled.*/two_factor_auth_enabled = no;/g" ${CONFIG} >/tmp/ar7.cfg
    cat /tmp/ar7.cfg >${CONFIG}
    echo "turn off 2 factor authentication in ${CONFIG}" >>${LOG}
  fi
fi

if [ ${REBOOT_REQUIRED} ] ; then
  echo "modsave flash && modsave all" | wall
  modsave flash && modsave all
  ctlmgr        # Start ctlmgr so you can access the AVM-webif during provisioning
  echo "A reboot will follow in 2 minutes" >>${LOG}

  echo "sleep 90
echo \"System reboots in 30 seconds because ${THIS_SCRIPT} made some initial configuration changes\" | wall
sleep 30 && /sbin/reboot" >/tmp/delayed_reboot

  sh /tmp/delayed_reboot &
else
  pcplisten -? 2>/dev/null && (/sbin/iforwards &)
  echo "Nothing has changed" >>${LOG}
fi
echo "End of ${THIS_SCRIPT}" >>${LOG}

 

[PeterPawn]

Is there a workaround for this?

Create a local IP phone as client, there's no needs to connect it really at any moment.

 

[frater]

Thanks....
I just created a local ip-phone with access from Internet, but when I remove the VoIP-account the rules are disabled again.

What about using "internet_forwardrules" again like I did all these years?

 

[PeterPawn]

with access from Internet

Unnecessary ... keep it local, it's more secure and you can leave this account active. If no-one uses it to register, nothing happens ... only voip_forwardrules get applied.

 

[frater]

I don't understand your answer or you're not understanding what I want. I need to expose the SSH server and zabbix to the Internet.
Often they are the only device on a remote network to which I can create a tunnel.

 

[PeterPawn]

Yes ... and you can't use internet_forwardrules anymore, 'cause your entries there get ignored - that's expectable.

Move your port-forwardings to voip_forwardrules and create the mentioned IP phone as SIP client ... voilà, your rules get applied. Remove the SIP client and your rules aren't applied any longer. Looks like you've tested it already and made this experience yourself.

If you leave the SIP client active, local port-forwarding via voip_forwardrules is usable. Or if your box has any other reason (any registration as UA or sth. like this) to start and use voipd, this solves the same concern.

You did ask for a workaround (I've cited your "question" prior to my first answer) and you've got one. Use it or leave it ... it's your decision.

If you aren't really happy with this solution, use other router devices ... or write your own PCP client to enable forwardings to the local device. This isn't supported any longer by "stock firmware". Period.

Somewhere here (don't ask me where exactly) I've discussed possible solutions for this problem ... you may try to find it or you may leave this, too. Still your decision ...

 

[frater]

Yes ... and you can't use internet_forwardrules anymore, 'cause your entries there get ignored - that's expectable.

I have converted my script to internet_forwardrules and I have it working.
You're saying these rules are ignored.

My guess then is that it's working because I'm testing all this on a 6.84 international.
My latest firmwares were still built with the SVN-trunk.
I have started from scratch with git and only recently have I got it all working again with my own customizations.
Because each new fritzbox takes too much time to configure I now started to automate things to set it up and also want to have it working without the "forward interface"

I have not moved (yet) to 7.x, but that's the next step.

Where does the remote AVM-access come in /var/flash/ar7.cfg ???

The only reason why I aborted the "voip_forwardrules" is because I don't want to enter a fake VoIP-account in the Fritzbox.
It does indeed work with a (fake) VoIP-account, but that is far from elegant.

If you aren't really happy with this solution, use other router devices ... or write your own PCP client to enable forwardings to the local device. This isn't supported any longer by "stock firmware". Period.

I have too much invested in these Freetz boxes. I'm managing about 70 of them and that's still growing. I can't really stay on 6.84 much longer....

If it was iptables I would never have bothered with ar7.cfg and would have bypassed AVM's code completely.
If you can lead me to some info how to execute commands for this firewall that would be much helpful.

I'm already using other routers (pfsense), but for most of our clients the Fritzbox is better suited.

 

[frater]

I upgraded the 6.84 router to 7.11 and I see that the Fritz!box has migrated my port_forwards to a file called /var/.srb_pcp

I have now changed my script so it will use internet_forwardrules if CONFIG_VERSION is either 4,5 or 6

echo ${CONFIG_VERSION} | grep -q '[456]\.'

For the time being I will resort to voip_forwardrules when I'm on version 7
The downside of that is that it needs a VoIP-account, otherwise these rules are ignored.
I will postpone the use of 7.x I think.

I will revisit this subject next year and see what I can do then.
For now I need to properly test these 6.84 versions and see if the partly automatic provisioning is indeed doing what I want it to.

 

[PeterPawn]

Sorry, the handling of these settings has changed over the time ... starting with the first versions with PCP support.

Maybe that any older versions still use internet_forwardrules and - under rare circumstances - this setting is functioning with latest versions, too.

But it's normal, that any discussion here is related to the latest available version, if not mentioned otherwise. Your first reference to 06.84 was found in #7.

There are findings, that internet_forwardrules doesn't work any longer and and therefore most users moved to voip_forwardrules or ike_forward_rules (in vpn.cfg), what needs a running avmike daemon to activate these port-forwardings.

As reported, the latter one isn't available anymore, too. With latest versions (07.1x+) the ike_forward_rules entry is even removed from file, while it gets written to settings storage.

And BTW ... the file /var/.srb_pcp you've found, is only the backing file of a ringbuffer, logging PCP actions. You may show its content in readable form with showshringbuf pcp. That's not a new storage place for your forwarding settings.

 

[frater]

I will investigate pcp and see if I can write some watchdog that makes sure my custom rules are applied.
This is not for now as I need to establish first if the 6.84 firmwares I'm producing with my new cleaned up trunk are stable.

The 7.11 I created from the .config I was using went into some bootloop, so I removed the .config and recompiled to create a test version for 7.11. I was indeed using several "remove packages". I need to investigate that as well.
Or is it already well known which "remove packages" are the culprit?
Having an International version also means that fewer people have tested it.

Freetz also has an OpenVPN-package.
How do they open their ports?

 

[PeterPawn]

How do they open their ports?

Using voip_forwardrules ...

Here I had written down some facts regarding differences in newer FRITZ!OS versions ... one part is mentioning the "PCP problem", too.

[Sammlung] - Was sollte man bei eigenen Änderungen beachten bei neueren Versionen des FRITZ!OS?

Ich will hier mal eine Sammlung aufmachen, in der wichtige Änderungen in neueren Firmware-Versionen (ab 06.9x) zusammengefaßt werden. Nicht alle Modelle haben ja eine 06.9x erhalten und schon bei dieser hat AVM an einigen Stellen massive Änderungen vorgenommen, die man beim Modifizieren der...

www.ip-phone-forum.de

 

[frater]

I just ran this

root@fritz:/# pcplisten tcp 192.168.178.1 443 120 AVM
OK: 10.0.0.25 443

and now I can open the AVM-interface.
I tested if I could go higher than 120 and noticed the command accepts this, but it results in a lifetime of 120 seconds anyhow.

It will not be difficult to create a daemon that will keep those forwardrules fresh.
Beside the daemon I can create a watchdog that makes sure this daemon keeps running.

cat /proc/kdsld/dsliface/internet/ipmasq/pcp44 | grep -A6 :443

MAP  TCP [192.168.178.1]:443 [10.0.0.25]:443 use 1, lifetime 100 secs, expire in 37 secs
     wanted [0.0.0.0]:0
     uniqid 0, cfgflags ignore_proxy_errors
     nonce 926a4dcd6f07fd1f615647a8
     desc "AVM"
     wanted_lifetime 100 lifetime 100
     pid 6086 caddr [192.168.178.1]

If I want to have a port translation I need to give a "wanted" parameter, but the program "pcplisten" doesn't seem to support that.
I prefer this for my SSH server, but on the other hand is it not that difficult to change the listen port of dropbear itself.

I actually prefer this than that I have to manipulate config files.

Do you have some hints regarding the port mapping?
Is it indeed enough to run these commands at an interval of 118 seconds?

echo "tcp @ 443 * AVM" >/var/flash/iforwards.cfg

echo '*/5 * * * * /bin/ps | grep -q "[i]forwards" || (/sbin/iforwards &)' >>/var/tmp/flash/mod/crontab
modsave flash

cat /sbin/iforwards

#!/bin/sh
HEADLESS= ; tty >/dev/null || HEADLESS=true

LANIP=`ifconfig lan | egrep -o 'inet addr:[0-9.]+' | head -n1 | awk -F: '{print $2}'`

if [ -n "${LANIP}" ] && [ -s /var/flash/iforwards.cfg ] ; then
   while true ; do
     while read PCP ; do
       CMDLINE="pcplisten `echo ${PCP} | sed "s/ @ / ${LANIP} /g;s/ \* / 120 /g"`"
       [ ${HEADLESS} ] || echo ${CMDLINE}
       ${CMDLINE}
     done </var/flash/iforwards.cfg
     sleep 117
   done
else
  exit 1
fi

I am writing this on a mobile phone in the train.
There are errors in this example.
I will correct these later.

 

[koyaanisqatsi]

Hello


Try: pcplisten tcp 192.168.178.1 443 24d AVM
( Or 24h )

Edit: No, sorry, doesnt work

 

[frater]

That will expire in 24 seconds:

root@fritz:/var/flash# pcplisten tcp 192.168.178.1 443 24d AVM
OK: 10.0.0.25 443
root@fritz:/var/flash# cat /proc/kdsld/dsliface/internet/ipmasq/pcp44 | grep -A6 :443
MAP  TCP [192.168.178.1]:443 [10.0.0.25]:443 use 1, lifetime 24 secs, expire in 22 secs
     wanted [0.0.0.0]:0
     uniqid 0, cfgflags ignore_proxy_errors
     nonce 8d32b6635c6f6a961d9bcd90
     desc "AVM"
     wanted_lifetime 24 lifetime 24
     pid 6131 caddr [192.168.178.1]
root@fritz:/var/flash# cat /proc/kdsld/dsliface/internet/ipmasq/pcp44 | grep -A6 :443
MAP  TCP [192.168.178.1]:443 [10.0.0.25]:443 use 1, lifetime 24 secs, expire in 17 secs
     wanted [0.0.0.0]:0
     uniqid 0, cfgflags ignore_proxy_errors
     nonce 8d32b6635c6f6a961d9bcd90
     desc "AVM"
     wanted_lifetime 24 lifetime 24
     pid 6131 caddr [192.168.178.1]

--

If we have a Freetz service that keeps such a daemon alive and a webif for the entries, we could have the internet forwards back again.
Is there no interest?

 

[PeterPawn]

Is there no interest?

There's nobody, who implemented it yet.

Some more thoughts ... meanwhile "from the past", too: https://www.ip-phone-forum.de/threads/port-forwarding-using-cli.289859/

IMHO there are mainly two different approaches, how this could be implemented ... starting with a library, that has to get included in such services/daemons and starts a parallel thread, which runs as long as the daemon is listening for incoming connections, too. An advantage is the high security (the port is only reachable, while the daemon is running) and the needs to modify each daemon, is a clear disadvantage.

Another idea is an "overall" daemon with an appropriate interface (usually a "procfs" implementation, but this is only available for kernel modules), where such daemons may simply "register" and "unregister" their ports, while they are running. This has the disadvantage, that even a terminated/failed service has to unregister ... otherwise it may lead to confusion (is it a new service, needs it a different port, is the requested port still in use by the previous instance, etc.), if it gets restarted and this "overall daemon" doesn't monitor the presence of the "registered daemons" itself (what makes it more complex again).

If anybody starts to implement such a service, he/she should try to discuss this idea first with others - best with "software architects" - to find the solution, which fits best for most cases. It's not in each case so simple, as it looks at the first glance. If someone wants only a solution, that suits his/her own needs, he/she may start to implement it without such thoughts in front of the start.

 

[frater]

Wouldn't a nice start be the introduction of a pcplisten alternative that supports "lifetime" (and longer than 120s) lifetime and both internal as external ports?

For my futureboxes I now have a script in /etc/init.d/ that will configure a box that is missing settings that are required to get remote access on it.
I understand that there is a limited need for this, but as I need to configure new boxes quite often, this will be a great time saver for me and also eliminates the occasional forgetting to set a required config.
But that is beyond the scope of this subject.

I think I now have a good replacement for the Freetz firewall interface that's reasonably future-proof.
I can add/change ports to /var/flash/iforwards.cfg.
No dependency on VoIP or remote setting. No messing with configs that are also accessed by the AVM-firmware.
It is of course possible that ports in the AVM-firewall are in conflict with your own. With power comes responsibility and good care.

The only thing that will change for me is that I need to change the port of the SSH-server.
Up until now I always kept it running at port 22 and did a port translation in the firewall.
Maybe it's a good thing that this is now also changed.

 

[frater]

I have a feeling that no-one is actually using pcplisten for the firewall.
Because I'm also busy writing a system to configure the box automatically after it has flashed I only just now discovered that pcplisten does NOT work as I, and I presume others, expected.

With pcplisten we are limited to a lifetime of 120 seconds. I tried to use 0, which I hoped would trigger an infinite lifetime, but that didn't work.
The script I proposed earlier doesn't work either. It assumed that a "pcplisten" command that would be issued before the lifetime expired would result in a refresh. That's not the case. pcplisten commands are just ignored when the current rules are not yet expired.

I think that's a bit strange.
That's why I modified my script which is still WiP and may change in the near future.
Maybe someone would like to comment on it.

BTW.... I'm testing this on 6.84 which may have these restrictions where 7.11 does not. I still need to test this on that.
I would also like to know how critical it is. If I'm already connected will the port close down? I need to test that as well.

I needed to set "FREETZ_BUSYBOX_FEATURE_FLOAT_SLEEP=y" so sleep would support 0.4 seconds

I just did a test using the command

pcplisten tcp 192.168.178.1 80 10 avm

This opens the port for 10 seconds.
This luckily doesn't mean that you'll be kicked after 10 seconds. Established connections have an additional lifetime, somewhere in the range of 20 seconds. This means that the thing for which I was afraid... "a break of contact each 2 minutes" doesn't pose a problem.

#!/bin/sh
HEADLESS=
tty >/dev/null || HEADLESS=true

CONFIG=/var/tmp/flash/iforwards.cfg
LANIP=`ifconfig lan | egrep -o 'inet addr:[0-9.]+' | head -n1 | awk -F: '{print $2}'`

if [ -n "${LANIP}" ] && [ -s ${CONFIG} ] ; then
   while true ; do
     # Get a valid firewall line sample from the config
     grep -i '^[tu][cd]p *@ *[0-9]' ${CONFIG} | awk '{print $1".*"$3}' >/tmp/portfilter
     FWLINES=`grep -c . /tmp/portfilter`
     [ -s /tmp/portfilter ] || break

     # this tight loop will go on until the lowest expiration is more then 110 seconds
     while true ; do
       while read PCP ; do
         CMDLINE="/bin/pcplisten `echo "${PCP}" | sed "s/ @ / ${LANIP} /g;s/ \* / 120 /g"`"
         [ ${HEADLESS} ] || echo ${CMDLINE}
         ${CMDLINE}
       done <${CONFIG}
       # fetch the lowest expiration time in seconds
       grep -if /tmp/portfilter /proc/kdsld/dsliface/internet/ipmasq/pcp44 >/tmp/pcports
       PCPLINES=`grep -c . /tmp/pcports`
       [ ${PCPLINES} -lt ${FWLINES} ] && continue       # at least 1 port has expired, quickly continue loop

       FIRSTEXPIRE=`grep -o ' expire in .*' /tmp/pcports | awk '{print $3}' | sort -n | head -n1`
       [ ${HEADLESS} ] || echo "Expires in ${FIRSTEXPIRE} secs"
       if [ -n "${FIRSTEXPIRE}" ] ; then
         [ ${FIRSTEXPIRE} -gt 110 ] && break    # break out of loop and sleep for a while, because all ports have just been refreshed
         WAITNOW=$((  ${FIRSTEXPIRE} - 3 ))
         if [ ${WAITNOW} -gt 0 ] ; then
           [ ${HEADLESS} ] || echo "I will wait for ${WAITNOW} as it takes some time before it all expires"
           sleep ${WAITNOW}
         fi
       fi
       sleep 0.4   # do not execute loop too quickly too often
     done
     [ ${HEADLESS} ] || echo "I will patiently wait for 109 seconds"
     sleep 109
   done
else
  exit 1
fi

 

[frater]

@PeterPawn

Maybe I wasn't clear before or maybe you already know this, but any "internet_forwardrules" of a 6.84 box is moved to some other location by AVM after an upgrade and continues to work on a 7.11 box.

This means that this has to reside on the part that is writable. Do you know where? Has anyone investigated how we can manipulate that file?

 

[jde07]

Ich habe Probleme mit dem offenen
Port für OpenVPN 1194 in 7490 fw 7.59. Funktioniert immer: Cat /var/flash/ar7.cfg > /var/tmp/ar7.cfg Vi /var/tmp/ar7.cfg .
.
voip_forwardrules = "udp 0.0.0.0:5060 0.0.0.0:5060".
"udp 0.0.0.0:5060 0.0.0.0:5060" "udp 0.0.0.0:1194 0.0.0.0:1994 Cat /var/tmp/ar7.cfg > /var/flash/ar7.cfg Ar7cfgchanged

Nachdem ich den Port und den FW-Upload über die GUI von Freetz erhalten habe und es funktioniert
musste ich nichts ändern. Ich habe versucht
Portweiterleitungsrichtlinien der AVM-Firewall. Keine Wirkung Vielleicht habe ich das Problem falsch definiert In FW 7.5x Aber nach der Rückkehr zu 7.29 ist der Port wieder offen Muss ich für FW 7.5x zusätzliche Dateien ändern?

 

[jde07]

Only now I have taken the time to investigate how I can use voip_forwardrules to enable remote access.
Somehow I couldn't get it working.

It was also suspicious that port 5060 wasn't working either.
It now turns out that the firewall disables these rules when no voip is enabled.

Is there a workaround for this?
I would like to use that a firewall when there's no VoIP in use.

Or am I making it too difficult for myself and is there no need to use "voip_forwardrules" and can I use this same procedure with "internet_forwardrules" ???
I understand that I first need to enable remote access on the fritzbox and create a user that has remote access.
That's not a problem as I need to do that anyhow.
If there are no further downsides to using "internet_forwardrules" this way I will follow that route and adapt my provisioning script.

Here's the script I'm using to make my life a bit easier when I provision a new Fritzbox. The script survives a factory reset, which is a requirement for my use-case.

cat /etc/init.d/S90-provision

#!/bin/sh

REBOOT_REQUIRED=
FREETZ_INTERFACE=81818
SSH_REMOTE=52222
ZABBIX_SERVER=zabbix.yourowndomain.net
THIS_SCRIPT=/etc/init.d/S90-provision
LOG="/var/tmp/flash/${THIS_SCRIPT##*/}.log"

PUBLIC_KEYS=''

FORWARDS="        internet_forwardrules = \"tcp 0.0.0.0:${FREETZ_INTERFACE} 0.0.0.0:${FREETZ_INTERFACE} 0 # Freetz\",
                                \"tcp 0.0.0.0:${SSH_REMOTE} 0.0.0.0:22 0 # SSH\",
                                \"tcp 0.0.0.0:10050 0.0.0.0:10050 0 # Zabbix\","

FORWARD_TAIL="`echo "${FORWARDS}" | tail -n1 | sed 's/^ *//g'`"

[ `grep -c . ${LOG}` -gt 60 ] && tail -n40 ${LOG} >${LOG}

date >>${LOG}
echo "Start custom initialization running ${THIS_SCRIPT} ($0)" >>${LOG}
echo "Config version: ${CONFIG_VERSION}" >>${LOG}

CONFIG=/var/tmp/flash/authorized_keys_root/authorized_keys
# Add public keys if none are there
if [ ! -s ${CONFIG} ] ; then
  if [ -n "${PUBLIC_KEYS}" ] ; then
    mkdir /var/tmp/flash/authorized_keys_root
    echo "${PUBLIC_KEYS}" | egrep -v '^ *($|#)' >${CONFIG}
    REBOOT_REQUIRED=true
    echo "add public keys to ${CONFIG}" >>${LOG}
  fi
fi

CONFIG=/var/mod/etc/conf/dropbear.cfg
# Enable SSH
if grep -q "^export DROPBEAR_ENABLED='no'" ${CONFIG} ; then
  sed -i "s/^export DROPBEAR_ENABLED=.*/export DROPBEAR_ENABLED=\'yes\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "enable dropbear, change ${CONFIG}" >>${LOG}
fi

CONFIG=/var/mod/etc/conf/zabbix_agentd.cfg
# Change Zabbix server
if grep -q "^export ZABBIX_AGENTD_SERVER='zabbix.example.com.'" ${CONFIG} ; then
  sed -i "s/^export ZABBIX_AGENTD_SERVER=.*/export ZABBIX_AGENTD_SERVER=\'${ZABBIX_SERVER}\'/g" ${CONFIG}
  sed -i "s/^export ZABBIX_AGENTD_ENABLED=.*/export ZABBIX_AGENTD_ENABLED=\'yes\'/g" ${CONFIG}

  # REBOOT_REQUIRED=true
  echo "change ${CONFIG}" >>${LOG}
fi

CONFIG=/var/mod/etc/conf/mod.cfg
# Change Freetz interface to other port
if ! grep -q "^export MOD_HTTPD_PORT='${FREETZ_INTERFACE}'" ${CONFIG} ; then
  sed -i "s/^export MOD_HTTPD_PORT=.*/export MOD_HTTPD_PORT=\'${FREETZ_INTERFACE}\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "change MOD_HTTPD_PORT in ${CONFIG}" >>${LOG}
fi
# Make sure cron is turned on
if grep -q "^export MOD_CROND='no'" ${CONFIG} ; then
  sed -i "s/^export MOD_CROND=.*/export MOD_CROND=\'yes\'/g" ${CONFIG}
  REBOOT_REQUIRED=true
  echo "change MOD_CROND in ${CONFIG}" >>${LOG}
fi

CONFIG=/var/tmp/flash/mod/crontab
# Add myself to crontab
if ! grep -q "${THIS_SCRIPT}" ${CONFIG} ; then
  echo "0 5 * * * ${THIS_SCRIPT}" >>${CONFIG}
  REBOOT_REQUIRED=true
  echo "Add ${THIS_SCRIPT} to ${CONFIG}" >>${LOG}
  killall -HUP crond
fi

CONFIG=/var/tmp/flash/sudo/sudoers
# Add myself to crontab
if ! grep -q "includedir" ${CONFIG} ; then
  mkdir /var/tmp/flash/sudo
  echo "## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d" >>${CONFIG}

  REBOOT_REQUIRED=true
  echo "change ${CONFIG}" >>${LOG}
fi


if ! pcplisten -? 2>/dev/null && echo pcplisten ; then
  CONFIG=/var/flash/ar7.cfg
  # Execute on old Fritz!box versions (up tu version 6.84)

  if grep -q 'internet_forwardrules = \"tcp' ${CONFIG} ; then
    if ! grep -A15 internet_forwardrules ${CONFIG} | grep -q "${FORWARD_TAIL}" ; then

      ctlmgr -s

      # write a modified at7.cfg to /tmp

      # all lines before "voip_forwardrules = "
      grep -B999999 internet_forwardrules ${CONFIG} | head -n-1 >/tmp/ar7.cfg
      # insert custom rules
      echo "${FORWARDS}" >>/tmp/ar7.cfg
      # restore first "voip_forwardrules = " line without "voip_forwardrules = " itself
      grep internet_forwardrules ${CONFIG} | sed 's/internet_forwardrules = /                        /g' >>/tmp/ar7.cfg
      # all lines after "voip_forwardrules = "
      grep -A999999 internet_forwardrules ${CONFIG} | tail -n+2 >>/tmp/ar7.cfg

      sed -i 's/two_factor_auth_enabled.*/two_factor_auth_enabled = no;/g' /tmp/ar7.cfg

      echo "Write internet_forwardrules to ${CONFIG}" >&2
      cat /tmp/ar7.cfg >${CONFIG}

      REBOOT_REQUIRED=true
      echo "change internet_forwardrules in ${CONFIG}" >>${LOG}
    fi
  fi
else
  # This will be executed on newer boxes supporting pcplisten

  CONFIG=/var/tmp/flash/iforwards.cfg

  # Execute on new Fritz!box versions (up tu version 7.xx)
  if [ ! -s ${CONFIG} ] ; then
    echo "tcp @ ${FREETZ_INTERFACE} * Freetz
tcp @ 10050 * Zabbix
tcp @ ${SSH_REMOTE} * SSH" >${CONFIG}
    modsave flash
    REBOOT_REQUIRED=true
    echo "change forwardrules in ${CONFIG}" >>${LOG}
  fi

  CONFIG=/var/tmp/flash/mod/crontab
  if ! grep -q iforwards ${CONFIG} ; then
    mkdir /var/tmp/flash/mod
    REBOOT_REQUIRED=true
    echo '*/3 * * * * /bin/ps | grep -q "[i]forwards" || (/sbin/iforwards &)' >>${CONFIG}
    echo "add /sbin/iforwards to ${CONFIG}" >>${LOG}
    killall -HUP crond
  fi

  CONFIG=/var/mod/etc/conf/dropbear.cfg
  if ! grep -q "DROPBEAR_PORT.*${SSH_REMOTE}" ${CONFIG} ; then
    REBOOT_REQUIRED=true
    sed -i "s/^export DROPBEAR_PORT=.*/export DROPBEAR_PORT=\'${SSH_REMOTE}\'/g" ${CONFIG}
    echo "change SSH port in ${CONFIG}" >>${LOG}
  fi

  CONFIG=/var/flash/ar7.cfg
  if ! grep -q "two_factor_auth_enabled.*no" ${CONFIG} ; then
    REBOOT_REQUIRED=true
    ctlmgr -s
    sed "s/two_factor_auth_enabled.*/two_factor_auth_enabled = no;/g" ${CONFIG} >/tmp/ar7.cfg
    cat /tmp/ar7.cfg >${CONFIG}
    echo "turn off 2 factor authentication in ${CONFIG}" >>${LOG}
  fi
fi

if [ ${REBOOT_REQUIRED} ] ; then
  echo "modsave flash && modsave all" | wall
  modsave flash && modsave all
  ctlmgr        # Start ctlmgr so you can access the AVM-webif during provisioning
  echo "A reboot will follow in 2 minutes" >>${LOG}

  echo "sleep 90
echo \"System reboots in 30 seconds because ${THIS_SCRIPT} made some initial configuration changes\" | wall
sleep 30 && /sbin/reboot" >/tmp/delayed_reboot

  sh /tmp/delayed_reboot &
else
  pcplisten -? 2>/dev/null && (/sbin/iforwards &)
  echo "Nothing has changed" >>${LOG}
fi
echo "End of ${THIS_SCRIPT}" >>${LOG}