HOWTO: remote backup the pfSense firewall



  • Hello,

    I have read some posts in the forum . Finally I have my own way to remote backup the firewall. I write my steps here.  Feel free to feedback and help me improve this guide.

    Purpose: remote backup the firewall
    Solution: rsync+ssh backup
    Requirements:
        rsync, ssh, shell (for both firewall + client)
    Settings:
        firewall (192.168.1.1)
        backup client (192.168.1.9)
        pfsense: FreeBSD xyz.localdomain 6.2-RELEASE-p11 FreeBSD 6.2-RELEASE-p11
    FIXME:
        security hole due to NON-password private RSA key

    Step 0: prepare non-password RSA key ==> for automatic proccess
       a. from client, use ssh-keygen to generate private/public key without password
       b. put the private key to client => ~/.ssh/firewall
       c. put the public key to firewall => /root/.ssh/authorized_keys (you can use web gui to update the key)
       Please try this step by yourself. Google it :)

    Step 1: install rsync to firewall
        a. download FreeBSD-6.2.iso DISC2 and mount to somewhere. We will have rsync-2.6.8_2.tbz for freebsd-6.2
        b. Put rsync-2.6.8_2.tbz to the firewall (by web server from client or use webGUI to upload file)

    Or you may fetch this rsync from my server:

    
    fetch http://kyanh.zapto.org:9999/freebsd/rsync-2.6.8_2.tbz
    
    

    c. ssh login to firewall
        d. then install package:

    pkg_add rsync-2.6.8_2.tbz
    

    Step 2: modify the SHELL login message
       a. ssh login to the firewall
       b. empty the file .profile

    cd /root/
    echo '' > .profile
    

    This step is required, so that we can use rsync backup script from client. If you donot do this, the shell is INTERATIVE and rsync from client cannot do the backup routines

    Step 3: from client, create the backup script. Below my script. Please note:
        a. We must login by ROOT account of firewall. Don't not use ADMIN account (AMIND uses SHELL=/etc/rc.initial )
        b. The destination of my backup file is /home/users/kyanh/tmp/firewall

    
    #!/bin/bash
    root=/home/users/kyanh/
    dest=$root/tmp/firewall
    
    [ -d $dest ] || mkdir -p $dest
    chmod 700 $dest
    cd $dest
    
    echo "start: `date +%y%m%d-%H`"
    
    rsync --delete -avze "ssh -i /home/users/kyanh/.ssh/firewall" root@192.168.1.1:/ .
    
    cd -
    

    Step 4: Add cron job from CLIENT (192.168.1.9). I use "hourly" backup with the above script (named monobackup)

    01 * * * *  /home/users/kyanh/bin/monobackup 
    

    That's all. Enjoy!


Locked