0

I have two Bash scripts. ufwBlock.sh enables ufw and ufwUnblock.sh disables it

ufwBlock.sh:

#!/bin/bash
if [[ -n `pidof firefox-esr` ]]
    then
        echo "Firefox is open, time to die (gracefully)...."
        kill -15 `pidof firefox-esr`
        logger -i Killed Firefox-esr
fi

ufw enable
logger -i enabled UFW 

#Test result
pingResult=`ping -c1 aws.com | grep received | awk '{print $4}'`

if [[ -n $pingResult  ]]
    then
        logger ufw enabled. Pinged aws.com but received $pingResult responses
    else    
        pingResult=0
        logger ufw enabled. Pinged aws.com and there was no response
fi

#Output rules <- This doesn't work!
rules=`ufw status`
logger $rules

if [[ $pingResult -gt 0 ]]
    then
        ufw default deny outgoing
        logger  ufw is enabled but ping got through, so added rule: ufw default to  deny outgoing
fi

and ufwUnblock.sh

#!/bin/bash
    ufw disable
    logger disabled the firewall

If I run ufwBlock.sh manually, it successfully (though slowly) detects and closes Firefox and enables the ufw firewall, blocking internet access for my video obsessed son until the ufwUnblock.sh script is run. I set up crontab (as root user)

# m     h       dom     mon     dow     command
0       20      *       *       *       /root/bin/ufwBlock.sh
30      7       *       *       *       /root/bin/ufwUnblock.sh

When cron triggers ufwBlock.sh it seems to work (see excerpt from journalctl | grep ufw, below) but I CAN STILL PING and running ufw status reports that ufw is disabled!

root@Pi7:/home/pi/# journalctl | grep ufw
Aug 02 20:00:01 Pi7 CRON[14554]: (root) CMD (/root/bin/ufwBlock.sh)
Aug 02 20:00:02 Pi7 root[14630]: ufw enabled. Pinged aws.com and received 1 responses
Aug 02 20:00:02 Pi7 root[14634]: ufw is enabled but ping got through, so added rule: ufw default to deny outgoing
root@Pi7:/home/pi# ufw status
Status: inactive

If I leave it up to cron, nothing gets blocked! Is this a timing issue (script rushing ahead without previous action finishing)? or have I made a mistake somewhere?

If it's relevant, this is all on a Pi4 uname -a -> Linux Pi7 4.19.118-v7l+ #1311 SMP Mon Apr 27 14:26:42 BST 2020 armv7l GNU/Linux

Greg
  • 195
  • 1
  • 13
  • XY problem? Can't you handle all this in your router? –  Aug 02 '20 at 22:08
  • To kill firefox takes time. Maybe do a `while [ -n \`pidof firefox-esr\``... –  Aug 02 '20 at 22:12
  • @Roadowl And even if it does take a while to kill firefox, what does that have to do with `ping`? – Barmar Aug 02 '20 at 22:15
  • 1
    Try using the full path to the `ufw` command. A common problem in `cron` is that `$PATH` isn't set as you expect. – Barmar Aug 02 '20 at 22:17
  • The logger text "ufw enabled. Pinged aws.com and received 1 responses" did not come from your script. –  Aug 02 '20 at 22:19
  • Read your script and tell me where it generated that message. –  Aug 02 '20 at 22:20
  • As @Barmar said, i think that problem is with you `$PATH` environment variable too. `ufw` doesn't run in `cron` shell environment. Export `$PATH` at the beginning of your script and try again. https://stackoverflow.com/questions/2388087/how-to-get-cron-to-call-in-the-correct-paths is also another solution to define `$PATH` variable – mjrezaee Aug 02 '20 at 22:23
  • @Roadowl presumably from `logger ufw enabled. Pinged aws.com but received $pingResult responses` – Barmar Aug 02 '20 at 23:56
  • Although the word `but` seems to have changed to `and`. Maybe different versions of the script? – Barmar Aug 02 '20 at 23:57
  • `and` to `but` in `logger ufw enabled. Pinged aws.com _but_ received $pingResult responses` was a version change – Greg Aug 03 '20 at 16:48
  • @Roadowl. I originally tried doing this on my Linksys (openwrt) router but failed. Not sure why and worthy of a revisit. This looked like an expedient (easy & quick) alternative to keep my son from going square eyed and exercise free ;P – Greg Aug 03 '20 at 16:54
  • @barmar seems to have hit the nail on the head. Adding the fully qualified path to ufw (`/usr/sbin/ufw`) has fixed this question. – Greg Aug 04 '20 at 06:04

0 Answers0