***WARNING***
THIS DOES NOT MEAN YOU GET TO SHUT YOUR BRAIN OFF. UPGRADING FREENAS COULD STILL RENDER YOUR CHANGES NULL AND VOID. AFTER ANY FREENAS UPGRADE, VERIFY THAT YOUR CHANGES ARE STILL IN EFFECT EVEN WITH THIS STICKY HACK IN PLACE.
Part 1 of trying to get hacks to FreeNAS to survive an upgrade was a failure. But never fear, I went back to the drawing board and had great success tonight. Basically I changed my approach slightly, Instead of trying to make changes to /conf/base/etc/rc.conf , what ended up working was just making the changes to /etc/rc.conf on every boot.
This will have the added benefit of working even if the FreeNAS developers change their naming scheme again for things in /conf/base/etc.
Write our hacks.sh script
1. I have OpenVPN and pf Firewall enabled, neither of which are stock to FreeNAS. You’ll need to adjust this script to meet your needs. Open up your favorite text editor and save your hacks.sh file somewhere on your data drive on the FreeNAS box.
First thing is lets search /etc/rc.conf to see if our hacks are in place. If they are, we exit.
#!/bin/sh if grep "pf_enable" /etc/rc.conf then echo "Hacks in Place" else
Now, the else section is where we add our hacks back in to /etc/rc.conf when they are not there. I’m just using a simple echo command to write the line I want to add to the shell and then am adding it to the end of /etc/rc.conf. I’m adding a blank line before my hacks, some notes about the hacks I’m adding and the config changes. You will need to change the paths to pf_rules, openvpn_configfile and openvpn_dir to match your setup.
echo "" >> /etc/rc.conf echo "#Turn on PF Firewall" >> /etc/rc.conf echo "pf_enable='YES'" >> /etc/rc.conf echo "pf_rules='/mnt/Files/joe/hacks/pf.conf'" >> /etc/rc.conf echo "gateway_enable='YES'" >> /etc/rc.conf echo "" >> /etc/rc.conf echo "#Turn on OpenVPN" >> /etc/rc.conf echo "openvpn_enable='YES'" >> /etc/rc.conf echo "openvpn_if='tun'" >> /etc/rc.conf echo "openvpn_configfile='/mnt/Files/openvpn/openvpn.conf'" >> /etc/rc.conf echo "openvpn_dir='/mnt/Files/openvpn'" >> /etc/rc.conf
Next we want to start the services that we have added as hacks to FreeNAS. For me that is pf and openVPN. Last thing is to close out the if statement with fi.
service pf start service openvpn start fi
Here’s the full script.
#!/bin/sh if grep "pf_enable" /etc/rc.conf then echo "Hacks in Place" else echo "" >> /etc/rc.conf echo "#Turn on PF Firewall" >> /etc/rc.conf echo "pf_enable='YES'" >> /etc/rc.conf echo "pf_rules='/mnt/Files/joe/hacks/pf.conf'" >> /etc/rc.conf echo "gateway_enable='YES'" >> /etc/rc.conf echo "" >> /etc/rc.conf echo "#Turn on OpenVPN" >> /etc/rc.conf echo "openvpn_enable='YES'" >> /etc/rc.conf echo "openvpn_if='tun'" >> /etc/rc.conf echo "openvpn_configfile='/mnt/Files/openvpn/openvpn.conf'" >> /etc/rc.conf echo "openvpn_dir='/mnt/Files/openvpn'" >> /etc/rc.conf service pf start service openvpn start fi
Save it and exit.
2. Now we need to make our hacks.sh script executable and make it owned by root for good measure. Make sure to change the path below to match your setup.
chmod 700 /mnt/Files/joe/hacks/hacks.sh chown root /mnt/Files/joe/hacks/hacks.sh
Set up the FreeNAS GUI to run hacks.sh as an init script.
3. Log into the FreeNAS gui and go to System > Init/Shutdown Scripts. Then click add Init/Shutdown Script
You want to select script in the first field. Browse to your hacks.sh script and select it in the second field and select Post Init in the third field.
Hit OK.
4. Reboot and watch the magic.
Verification
5. After you’ve rebooted, check the status of your hacks.
service openvpn status
You should get this if you are running openVPN
openvpn is running as pid 17535.
service pf status
You should get this if you are running pf. Notice that is says enabled.
No ALTQ support in kernel
ALTQ related functions disabled
Status: Enabled for 5 days 00:16:00 Debug: UrgentState Table Total Rate
current entries 21
searches 1236116133 2855.0/s
inserts 75627 0.2/s
removals 75649 0.2/s
Counters
match 2299524 5.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 28950 0.1/s
proto-cksum 0 0.0/s
state-mismatch 94319 0.2/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 15 0.0/s
synproxy 0 0.0/s
Final Thoughts
I set this up and tested it in a VM that started out as FreeNAS 9.2.0. After setting this all up, I did a system upgrade using the GUI and upgraded to 9.2.1.2. After rebooting, I checked /etc/rc.conf and my changes were in fact still there. I then checked to see if pf and openVPN were running and they were. SUCCESS!!!
I hope you all enjoy this. Let me know of all the great ways you find to use this.
The Joe Paetzel Method 
Pingback: FreeNAS – getting hacks to survive an upgrade | The Joe Paetzel Method
Pingback: Secure FreeNAS 9.2.1.2 with a Firewall | The Joe Paetzel Method
Pingback: OpenVPN on FreeNas 9.1 | The Joe Paetzel Method
This is great Joe. Thanks again for another great guide. I for sure news to set this up before I upgrade.
Do you know, would it just be easier to do all of this in a jail so it isn’t affecting the main installation? I would think it would be possible, and you’d just forward your OpenVPN ports to the jail ip rather than the freenas ip, no? Have you tried it this way?
Yes, that should be possible now with the way interfaces are being shown to the jails. In earlier versions of FreeNas, that didn’t work as well. With it running in the jail though, it will be difficult to get access to the FreeNAS GUI over the VPN , should you ever need to do that.
Pingback: Google Authenticator on FreeNas | The Joe Paetzel Method
Hello! I am Afterthing similar, but I need to shutdown_timeout=”300″ to alter shutdown watchdog timeout.
I understand the insertion, my question is – how to “force” system to read the new setting?
Sorry, I really don’t know.