Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HOWTO: remote backup the pfSense firewall

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    1 Posts 1 Posters 13.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rocky
      last edited by

      Hello,

      I have read some posts in the forum . Finally I have my own way to remote backup the firewall. I write my steps here.  Feel free to feedback and help me improve this guide.

      Purpose: remote backup the firewall
      Solution: rsync+ssh backup
      Requirements:
          rsync, ssh, shell (for both firewall + client)
      Settings:
          firewall (192.168.1.1)
          backup client (192.168.1.9)
          pfsense: FreeBSD xyz.localdomain 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11
      FIXME:
          security hole due to NON-password private RSA key

      Step 0: prepare non-password RSA key ==> for automatic proccess
         a. from client, use ssh-keygen to generate private/public key without password
         b. put the private key to client => ~/.ssh/firewall
         c. put the public key to firewall => /root/.ssh/authorized_keys (you can use web gui to update the key)
         Please try this step by yourself. Google it :)

      Step 1: install rsync to firewall
          a. download FreeBSD-6.2.iso DISC2 and mount to somewhere. We will have rsync-2.6.8_2.tbz for freebsd-6.2
          b. Put rsync-2.6.8_2.tbz to the firewall (by web server from client or use webGUI to upload file)

      Or you may fetch this rsync from my server:

      
      fetch http://kyanh.zapto.org:9999/freebsd/rsync-2.6.8_2.tbz
      
      

      c. ssh login to firewall
          d. then install package:

      pkg_add rsync-2.6.8_2.tbz
      

      Step 2: modify the SHELL login message
         a. ssh login to the firewall
         b. empty the file .profile

      cd /root/
      echo '' > .profile
      

      This step is required, so that we can use rsync backup script from client. If you donot do this, the shell is INTERATIVE and rsync from client cannot do the backup routines

      Step 3: from client, create the backup script. Below my script. Please note:
          a. We must login by ROOT account of firewall. Don't not use ADMIN account (AMIND uses SHELL=/etc/rc.initial )
          b. The destination of my backup file is /home/users/kyanh/tmp/firewall

      
      #!/bin/bash
      root=/home/users/kyanh/
      dest=$root/tmp/firewall
      
      [ -d $dest ] || mkdir -p $dest
      chmod 700 $dest
      cd $dest
      
      echo "start: `date +%y%m%d-%H`"
      
      rsync --delete -avze "ssh -i /home/users/kyanh/.ssh/firewall" root@192.168.1.1:/ .
      
      cd -
      

      Step 4: Add cron job from CLIENT (192.168.1.9). I use "hourly" backup with the above script (named monobackup)

      01 * * * *  /home/users/kyanh/bin/monobackup 
      

      That's all. Enjoy!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.