AutoConfig Backup Location

tyler.montney 0

I am aware of the regular backup location, /cf/conf/backup, but these files are plaintext (so they can't be the AutoConfig ones).

I'm looking to run a cron job from PFSense to push config backups to a remote location. I've seen a GitHub recommendation a few times, but it's an EXE (requires a Windows machine) and is pull (not push). Far easier to secure when PFSense is the one pushing the config to a share (tied to a user with limited permissions).

tyler.montney 0

https://docs.netgate.com/pfsense/en/latest/backup/remote-backup.html

Originally, I had been using the CURL method. Somehow I never realized it, but I don't believe it's working. (It's saving HTML content.)

Gertjan

@tyler-montney-0 said in AutoConfig Backup Location:

Originally, I had been using the CURL method. Somehow I never realized it, but I don't believe it's working. (It's saving HTML content.)

It's a pull method.
And its working, as it 'logs in' and then requests the xml file.
At least, it did work when I tested it a couple of month ago.

Btw : it's easy to "push" as you can see : use the scp method.

Steve_B

Perhaps I misunderstand your question, but the backups made by the pfSense Auto Config Backup system are encrypted and pushed to a server in one of Netgate's data centers, either on each change or on a user defined schedule. You won't find them on the firewall.

tyler.montney 0

@steve_b Oh, no I definitely don't want this. The description for Hint/Identifier should've tipped me off, but this needs to be more clearly stated.

@Gertjan Right, now that I realize the backup goes to Netgate, that means the plaintext is my only option.

Steve_B

https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html

Seems pretty clear :)

tyler.montney 0

@steve_b I mean from the GUI. I only review documentation when something seems unclear. Nothing there stuck out enough to make me think otherwise. Opened #12296 on redmine.

I've opted to go the scp route, using the cron package (to set a cron job from the web interface).

Gertjan

@tyler-montney-0 said in AutoConfig Backup Location:

I mean from the GUI.

The file you download is a backup, meant to be stored on a device that you trust ^^
( as any backup ...)

@tyler-montney-0 said in AutoConfig Backup Location:

Opened #12296 on redmine.

You have a point.
"We all know" what ABC is, where it's stored, and under what conditions you can retrieve it.
ABC uses a server @Netgate where our copies are saved. They are encrypted, and can only be read back if you have kept that key (and ID etc) on a safe (local !) place.
ABC was, in the past, on option that was not free. It was a package that you had to add, and set up.

The doc doesn't really state clearly that is actually a 'cloud' thing.
That it isn't a perfect solution.
That it needs a working connection to the Internet.
That you should backup the access credentials.
Etc etc.

@tyler-montney-0 said in AutoConfig Backup Location:

I've opted to go the scp route, using the cron package (to set a cron job from the web interface).

If you created a small shell script, you could add your own encryption.
Take a copy of the config file, encrypt it before sending it away to some local device.