Back up Firewall Rules?

524
197
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
As far as I can tell, DSM provides no way to back up firewall rules. Configuration backup doesn't seem to do it, nor does Hyperbackup.
Other than taking a screencap of my ruleset, and then retyping it all back in if I need to restore my system, does anyone know of a way to do this?
Am I missing something obvious?
 
A quick look in a config backup and the sqlite DB it contains doesn't appear to include FW rules, as you said. I'm guessing there is probably a place to find the rules file: will take a look later.

If you consider that the FW can be a cause of access problems and are LAN specific then restoring them could prolong existing recovery or cause issues when cloning at a new location. But restoring to a disabled profile would be useful.

Screenshots as a backup isn't a bad fallback plan. Everytime my DVB-T TV recorder box needs to re-scan for channels it will ditch the recording schedule ... my iPhone camera roll has historical references to the schedule going back years :)
 
Thanks, fredbert! Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups. So it's clearly, as you suggest, a deliberate choice not to do so in DSM. But DSM allows the user to selectively restore from the configuration backup, so I don't know why they can't allow us to back up the firewall settings and then, if including those settings in our restoration would do more harm then good, allow us to uncheck a "firewall settings" box in the configuration restore process (just as we can uncheck things like "permissions," etc.)
 
Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups
I thought I remembered FW rules being backed up but checked DSM to confirm where I remembered that from (SRM). I've unpacked SRM backups to find things like the IP block lists and such like.
 
Hmph, so I looked in /etc/firewall and it's completely empty of files, even though I have an elaborate firewall set up on this particular machine. /etc.defaults/firewall is also empty. Baffled now.
 
I have eth0.conf and global.conf in there and looked to be the same as my FW rules ... only global rules. Closer inspection and not so accurate.

A trawl with ls -ltr / > temp.txt indicates a better location /usr/syno/etc/firewall.d. I cloned my current FW profile to get a current timestamp on files and see that these have the cloned profile in there. But how to get them to load after restore??
 
fredbert, assuming those are the right firewall rules, then wouldn't we just copy those files to somewhere for safekeeping, and then, after restore, SSH into the Diskstation, and copy them back?
 
It appears that the default firewall rules are in 1.json, and any additional sets you create get put into serially numbered files 2.json, 3.json, etc.

meta.json keeps track of the other files. I'm not sure where the NAMES that we give our custom firewall rulesets are kept, but perhaps it doesn't matter. Anyway, I'm going to make a backup copy of the files in that folder for each of my diskstations and keep it safe. It's not like doing that costs anything...
 
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got loaded.

Also meta.json names my default plus a custom profile that I've recently deleted. It doesn't include my new cloned profile. But firewall_settings.json does state the active profile is the new one. Was going to say meta.json might be updated on reboot but it's dated 3rd May and the uptime is 11 days.

Name of the profile is in the n.json file, near the top.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
1,926
If you create a rule: Source interface: LANs Source IP: 192.168.0.0/16 Destination interface: Any...
Replies
4
Views
399
Thank you, Birdy for the QC White paper!! Had a smattering of info on it.. Your link filled in the blanks.
Replies
8
Views
380

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top