Back up Firewall Rules?

Currently reading
Back up Firewall Rules?

507
189
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS212, RS816, RS819, DS223, DS920+
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
As far as I can tell, DSM provides no way to back up firewall rules. Configuration backup doesn't seem to do it, nor does Hyperbackup.
Other than taking a screencap of my ruleset, and then retyping it all back in if I need to restore my system, does anyone know of a way to do this?
Am I missing something obvious?
 
A quick look in a config backup and the sqlite DB it contains doesn't appear to include FW rules, as you said. I'm guessing there is probably a place to find the rules file: will take a look later.

If you consider that the FW can be a cause of access problems and are LAN specific then restoring them could prolong existing recovery or cause issues when cloning at a new location. But restoring to a disabled profile would be useful.

Screenshots as a backup isn't a bad fallback plan. Everytime my DVB-T TV recorder box needs to re-scan for channels it will ditch the recording schedule ... my iPhone camera roll has historical references to the schedule going back years :)
 
Thanks, fredbert! Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups. So it's clearly, as you suggest, a deliberate choice not to do so in DSM. But DSM allows the user to selectively restore from the configuration backup, so I don't know why they can't allow us to back up the firewall settings and then, if including those settings in our restoration would do more harm then good, allow us to uncheck a "firewall settings" box in the configuration restore process (just as we can uncheck things like "permissions," etc.)
 
Interestingly, the Synology *routers* DO include the firewall settings in their configuration backups
I thought I remembered FW rules being backed up but checked DSM to confirm where I remembered that from (SRM). I've unpacked SRM backups to find things like the IP block lists and such like.
 
Hmph, so I looked in /etc/firewall and it's completely empty of files, even though I have an elaborate firewall set up on this particular machine. /etc.defaults/firewall is also empty. Baffled now.
 
I have eth0.conf and global.conf in there and looked to be the same as my FW rules ... only global rules. Closer inspection and not so accurate.

A trawl with ls -ltr / > temp.txt indicates a better location /usr/syno/etc/firewall.d. I cloned my current FW profile to get a current timestamp on files and see that these have the cloned profile in there. But how to get them to load after restore??
 
fredbert, assuming those are the right firewall rules, then wouldn't we just copy those files to somewhere for safekeeping, and then, after restore, SSH into the Diskstation, and copy them back?
 
It appears that the default firewall rules are in 1.json, and any additional sets you create get put into serially numbered files 2.json, 3.json, etc.

meta.json keeps track of the other files. I'm not sure where the NAMES that we give our custom firewall rulesets are kept, but perhaps it doesn't matter. Anyway, I'm going to make a backup copy of the files in that folder for each of my diskstations and keep it safe. It's not like doing that costs anything...
 
OK. I have 1.json but the other is 1590505357.json, go figure :) Hence why I couldn't say how they got loaded.

Also meta.json names my default plus a custom profile that I've recently deleted. It doesn't include my new cloned profile. But firewall_settings.json does state the active profile is the new one. Was going to say meta.json might be updated on reboot but it's dated 3rd May and the uptime is 11 days.

Name of the profile is in the n.json file, near the top.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Hello! Yes I did indeed find the problem, there are some special firewall rules that you need to make for...
Replies
4
Views
769
  • Question
Generically you would. 1. Allow specific IPs/Ports from your local LAN 2. Allow specific IP/Port for VPN...
Replies
5
Views
5,029
Morning lads I'm having some issues with with an IP camera I recently bought (Reolink e1 pro), I've...
Replies
0
Views
1,365
I have now yea, seems like it was the docker network element that was the issue and these don't offer...
Replies
3
Views
2,177
DSM 7 I know, that is the solution I actually ended up with. But it does not actually do what I wanted...
Replies
6
Views
1,862
Hello, I am trying to utilize the firewall on my ds918+ to limit access to ports on my synology to...
Replies
0
Views
3,179
Thanks very much everyone. Over the VPN, the session shows that the source is from 10.4.0.1, the VPN...
Replies
14
Views
5,450

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top