Back up Firewall Rules?

Currently reading
Back up Firewall Rules?

298
113
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
As far as I can tell, DSM provides no way to back up firewall rules. Configuration backup doesn't seem to do it, nor does Hyperbackup.
Other than taking a screencap of my ruleset, and then retyping it all back in if I need to restore my system, does anyone know of a way to do this?
Am I missing something obvious?
 

Rusty

Moderator
NAS Support
1,891
576
www.blackvoid.club
NAS
DS412+, DS718+, DS918+, 2x RS3614RPxs+ with expansions
Router
RT1900ac, RT2600ac, MR2200ac
Haven't looked myself if there is an option via cli, but there is no way to do it via UI
 

fredbert

Moderator
NAS Support
Subscriber
1,310
550
Operating system
macOS
Mobile operating system
iOS
A quick look in a config backup and the sqlite DB it contains doesn't appear to include FW rules, as you said. I'm guessing there is probably a place to find the rules file: will take a look later.

If you consider that the FW can be a cause of access problems and are LAN specific then restoring them could prolong existing recovery or cause issues when cloning at a new location. But restoring to a disabled profile would be useful.

Screenshots as a backup isn't a bad fallback plan. Everytime my DVB-T TV recorder box needs to re-scan for channels it will ditch the recording schedule ... my iPhone camera roll has historical references to the schedule going back years :)
 
298
113
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
Thanks, fredbert! Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups. So it's clearly, as you suggest, a deliberate choice not to do so in DSM. But DSM allows the user to selectively restore from the configuration backup, so I don't know why they can't allow us to back up the firewall settings and then, if including those settings in our restoration would do more harm then good, allow us to uncheck a "firewall settings" box in the configuration restore process (just as we can uncheck things like "permissions," etc.)
 

fredbert

Moderator
NAS Support
Subscriber
1,310
550
Operating system
macOS
Mobile operating system
iOS
Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups
I thought I remembered FW rules being backed up but checked DSM to confirm where I remembered that from (SRM). I've unpacked SRM backups to find things like the IP block lists and such like.
 
298
113
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
Hmph, so I looked in /etc/firewall and it's completely empty of files, even though I have an elaborate firewall set up on this particular machine. /etc.defaults/firewall is also empty. Baffled now.
 

fredbert

Moderator
NAS Support
Subscriber
1,310
550
Operating system
macOS
Mobile operating system
iOS
I have eth0.conf and global.conf in there and looked to be the same as my FW rules ... only global rules. Closer inspection and not so accurate.

A trawl with ls -ltr / > temp.txt indicates a better location /usr/syno/etc/firewall.d. I cloned my current FW profile to get a current timestamp on files and see that these have the cloned profile in there. But how to get them to load after restore??
 
298
113
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
fredbert, assuming those are the right firewall rules, then wouldn't we just copy those files to somewhere for safekeeping, and then, after restore, SSH into the Diskstation, and copy them back?
 

fredbert

Moderator
NAS Support
Subscriber
1,310
550
Operating system
macOS
Mobile operating system
iOS
Either that or find the new files and edit in the saved contents. The filenames, for me, aren't fully obvious so must either be pulled in because they are in this folder or because there's a record of the filenames.
 
298
113
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
RT2600ac, MR2200ac
Operating system
Windows
Mobile operating system
iOS
It appears that the default firewall rules are in 1.json, and any additional sets you create get put into serially numbered files 2.json, 3.json, etc.

meta.json keeps track of the other files. I'm not sure where the NAMES that we give our custom firewall rulesets are kept, but perhaps it doesn't matter. Anyway, I'm going to make a backup copy of the files in that folder for each of my diskstations and keep it safe. It's not like doing that costs anything...
 

fredbert

Moderator
NAS Support
Subscriber
1,310
550
Operating system
macOS
Mobile operating system
iOS
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got loaded.

Also meta.json names my default plus a custom profile that I've recently deleted. It doesn't include my new cloned profile. But firewall_settings.json does state the active profile is the new one. Was going to say meta.json might be updated on reboot but it's dated 3rd May and the uptime is 11 days.

Name of the profile is in the n.json file, near the top.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top