On Mon, Nov 24, 2025 at 08:06:59PM +0100, [email protected] wrote:
> I have a simple pf firewall, and to "rebuild" it (in case of disaster) I
> think I can probably just backup some selected files.
>
> List below. Is this a sound approach in principle? And/or have I missed any
> obvious files/locations?
> (thanks!)
>
> /etc/ntpd.conf ntp configuration
> /etc/rc.conf services to start
> /etc/rc.conf.local autostart unbound and dhcpd at boot
> /etc/login.conf.d/unbound unbound file descriptor limit increase
> /etc/dhcpleased.conf stop the dns supplied in dhcp from
> writing to resolve.conf - WAN/ISP NIC
> /etc/doas.conf doas config
> /etc/myname system name
> /etc/sysctl.conf enabled ipv4 packet forwarding
> /etc/hostname.* network interface configs
> /etc/dhcpd.conf dhcp server config
> /etc/pf.conf pf firewall config
> /var/unbound/etc/unbound.conf unbound dns server config
> /etc/resolv.conf point dns at self
>
It will always depend on what services you are using and/or which files
you changed since install. I usually run
mtree -c -n -p / > /root/post_install.mtree
after installing, and later on use
mtree -p / -f /root/post_install.mtree
to see what changed since the install. In most cases that is what I
want to backup (more exactly, what I want to put into the site**.tgz
file, I use on the installer).
I never bothered to tune this, so I get a lot of false positives e.g. on
/var, but that forces me to be on top of things, instead of blindly
accepting the results.
--
