This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Wake on WAF/WAN: Magic with the Web Application Firewall

For anyone interested, I'd like to share my small bash script I created yesterday to wake up (via ASG) my internal Windows Homeserver that uses the 'Lightsout' plugin to stay in S3 powersafe mode whenever the server is not needed. It wakes up the Server as soon as anyone tries to surf to the HTTP Remote Access Webpage.

/etc/init.d/rc3.d/S99wol:
#!/bin/bash

# At the ASG, create a DNAT for UDP Traffic Port 9 to $DNATDST

# Configuration
MAC=00:26:2d:00:02:6b

NIC=eth0
DNATDST=10.12.28.2

WAFHOST=homeserver.mediavillage.de


# Map Traffic going Fake-IP being flooded broadcasted
ip neigh change $DNATDST lladdr ff:ff:ff:ff:ff:ff nud permanent dev $NIC > /dev/null 2>&1
ip neigh add    $DNATDST lladdr ff:ff:ff:ff:ff:ff nud permanent dev $NIC > /dev/null 2>&1

# Monitor Reverse-Proxy and wake up Server if necessary
(
OLD=""
while sleep 1; do
  NEW=`awk '/server=\"'"$WAFHOST"'\"/ && /statuscode=\"503\"/ {print }' /var/log/reverseproxy.log | tail -1`
  echo $NEW
  if [ "$NEW" != "" -a "$NEW" != "$OLD" ]; then
    CURDATE=`date +"%Y:%m:%d-%T"`
    CURHOSTNAME=`hostname -f`
    CURPID=$$
    echo "$CURDATE $CURHOSTNAME [daemon:info] wol[$CURPID]:  Wake on WAF: $WAFHOST [$MAC]" >> /var/log/fallback.log
    ether-wake $MAC
    sleep 180
    OLD=$NEW
  fi
done
) > /dev/null 2>&1 &


The Script does 2 things at once:

[LIST=1]
  • Map an unused internal IP to be the flooded broadcast layer2 address (this is to circumvent ASGs missing possibility to directly DNAT to Broadcast)
  • Monitor the WAF Logfile for Connection Timeouts to the Server that should be woken up on demand
[/LIST]

The first point is optional and can be commented out if you don't want to be able to wake on WAN any internal host. For this to work you also need to create a DNAT rule via WebAdmin: SRC: Any, SVC: UDP Port 9, DST: External (Address) >> DST: *unused* IP defined in Script. If you don't like that functionality, comment out the two 'ip neigh' lines in the script.

Happy wakeups! [:D]


This thread was automatically locked due to age.
Parents Reply Children
  • Hi Heine,

    Unfortunately not, as far as I'm aware.

    The UTMs Shell is a full fat kernel level root access of Linux so you can run anything you want inside it (within reason obviously). The XG's "Shell" is actually a safe mode BusyBox and the commands you run are hooks into APIs for the binarys underneath so deploying a script like this would be run inside that safe mode area and a lot of the command functionality is non-existant (very frustrating). Additionally a lot of areas, like the WAF configuration, you are not allowed to edit or write to those directories so getting the script to be part of the WAF is the first issue.

    However, there may be a distinct possibility that although this script may not run as it is right here, if it was re-written to work alongside or with busybox then it "may" work.

    But the shell system in the XG is locked down tighter than the UTM by a long yard but I'm not as much of a script kid these days and I've only played with Bash so I'd be interested in seeing if someone more versed in it than I can get this to work in the XG.

    Emile