This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wake on WAF/WAN: Magic with the Web Application Firewall

For anyone interested, I'd like to share my small bash script I created yesterday to wake up (via ASG) my internal Windows Homeserver that uses the 'Lightsout' plugin to stay in S3 powersafe mode whenever the server is not needed. It wakes up the Server as soon as anyone tries to surf to the HTTP Remote Access Webpage.

/etc/init.d/rc3.d/S99wol:
#!/bin/bash

# At the ASG, create a DNAT for UDP Traffic Port 9 to $DNATDST

# Configuration
MAC=00:26:2d:00:02:6b

NIC=eth0
DNATDST=10.12.28.2

WAFHOST=homeserver.mediavillage.de


# Map Traffic going Fake-IP being flooded broadcasted
ip neigh change $DNATDST lladdr ff:ff:ff:ff:ff:ff nud permanent dev $NIC > /dev/null 2>&1
ip neigh add    $DNATDST lladdr ff:ff:ff:ff:ff:ff nud permanent dev $NIC > /dev/null 2>&1

# Monitor Reverse-Proxy and wake up Server if necessary
(
OLD=""
while sleep 1; do
  NEW=`awk '/server=\"'"$WAFHOST"'\"/ && /statuscode=\"503\"/ {print }' /var/log/reverseproxy.log | tail -1`
  echo $NEW
  if [ "$NEW" != "" -a "$NEW" != "$OLD" ]; then
    CURDATE=`date +"%Y:%m:%d-%T"`
    CURHOSTNAME=`hostname -f`
    CURPID=$$
    echo "$CURDATE $CURHOSTNAME [daemon:info] wol[$CURPID]:  Wake on WAF: $WAFHOST [$MAC]" >> /var/log/fallback.log
    ether-wake $MAC
    sleep 180
    OLD=$NEW
  fi
done
) > /dev/null 2>&1 &


The Script does 2 things at once:

[LIST=1]
  • Map an unused internal IP to be the flooded broadcast layer2 address (this is to circumvent ASGs missing possibility to directly DNAT to Broadcast)
  • Monitor the WAF Logfile for Connection Timeouts to the Server that should be woken up on demand
[/LIST]

The first point is optional and can be commented out if you don't want to be able to wake on WAN any internal host. For this to work you also need to create a DNAT rule via WebAdmin: SRC: Any, SVC: UDP Port 9, DST: External (Address) >> DST: *unused* IP defined in Script. If you don't like that functionality, comment out the two 'ip neigh' lines in the script.

Happy wakeups! [:D]


This thread was automatically locked due to age.
Parents
  • Hi all,
    Just curious, as this post/thread is quite dated.
    Has this functionality been added to the UTM?
    Or can someone guide me on how to get this working? I have a server i would lige to wake when ever a request for it shows in the network/From wan.

    //Heine
Reply
  • Hi all,
    Just curious, as this post/thread is quite dated.
    Has this functionality been added to the UTM?
    Or can someone guide me on how to get this working? I have a server i would lige to wake when ever a request for it shows in the network/From wan.

    //Heine
Children
  • Hi, Heine, and welcome to the UTM Community!

    This functionality has not been added.  Inside the LAN, the client trying to access the server should send its own WOL packet, I think.  For external clients, doesn't trollvottel's prescription above work for you?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi BAlfson,

    I sad to hear it not implemented.

    But, i did manage to the this script working.
    I the start i was on shaky ground figuring out how to get it working, but in the end i managed :)

    Thanks for your reply.

    //Heine
  • Can this be ported to work on the newer xg firewall?

  • Hi Heine,

    Unfortunately not, as far as I'm aware.

    The UTMs Shell is a full fat kernel level root access of Linux so you can run anything you want inside it (within reason obviously). The XG's "Shell" is actually a safe mode BusyBox and the commands you run are hooks into APIs for the binarys underneath so deploying a script like this would be run inside that safe mode area and a lot of the command functionality is non-existant (very frustrating). Additionally a lot of areas, like the WAF configuration, you are not allowed to edit or write to those directories so getting the script to be part of the WAF is the first issue.

    However, there may be a distinct possibility that although this script may not run as it is right here, if it was re-written to work alongside or with busybox then it "may" work.

    But the shell system in the XG is locked down tighter than the UTM by a long yard but I'm not as much of a script kid these days and I've only played with Bash so I'd be interested in seeing if someone more versed in it than I can get this to work in the XG.

    Emile