bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense
-
Hi pfSense Gurus!
On one separate test pfSense we have testing the FW rules and of course have a set of RULES and set of ALIASES.
How to make bulk Import ALIASES and RULES from external .xml (from this test server) as addition to existed already in running production pfSense?
I read official Restoring from Backups but there are only about complete REPLACE section...
I definitely not falling in love with copy/paste from one .xml to another...
-
@sergei_shablovsky said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
complete REPLACE section...
Last time I cheeked, I could export "Aliases" and "Firewall rules" only.
Theses xml files can be imported. -
@gertjan said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
@sergei_shablovsky said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
complete REPLACE section...
Last time I cheeked, I could export "Aliases" and "Firewall rules" only.
Theses xml files can be imported.Yes, but i need to APPEND INSTEAD OF REPLACE
-
@sergei_shablovsky said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
APPEND INSTEAD OF REPLACE
Not directly possible I guess.
But :
Export Aliases on first firewall.
Export Aliases on second firewall.
Merge the 2 using your favourite text editor.
So, you still need to Ctrl-C Ctrl-V ones. -
Mmm, there's no easy way to do that. You can add aliases manually easily enough but firewall rules reference the defined interfaces so they would have to match exactly. The rule ordering might also end up not what you want.
Steve
-
@gertjan said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
@sergei_shablovsky said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
APPEND INSTEAD OF REPLACE
Not directly possible I guess.
But :
Export Aliases on first firewall.
Export Aliases on second firewall.
Merge the 2 using your favourite text editor.
So, you still need to Ctrl-C Ctrl-V ones.Thank You for really great idea!
I also come to this "handmade" solution :) -
@stephenw10 said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
Mmm, there's no easy way to do that. You can add aliases manually easily enough but firewall rules reference the defined interfaces so they would have to match exactly. The rule ordering might also end up not what you want.
Steve
Thank You also, Steve !
Is this safe doing editing file on-the-fly on production system?
I mean is pfSence locking modify of settings .xml or controlling his MD5 or something like that ?
Sorry for dumb question...
-
There is a command line (console tool) called vi-config that permits you to edit the config.xml on the fly.
While I'm not advising you to use the 'tool', it shows what needs to be done when you edit the config 'manually' :
#!/bin/sh vi /cf/conf/config.xml rm /tmp/config.cache
The secret is : when you edited the config.xml, you have to delete this file : /tmp/config.cache
-
aliases could possibly be done "easily" by the <new> aliasmod php shell script
https://redmine.pfsense.org/issues/11380
-
@gertjan said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
There is a command line (console tool) called vi-config that permits you to edit the config.xml on the fly.
Thank You for suggestions! Let,s to note I prefer zsh + nano as handly CLI tools.
While I'm not advising you to use the 'tool', it shows what needs to be done when you edit the config 'manually' :
#!/bin/sh vi /cf/conf/config.xml rm /tmp/config.cache
The secret is : when you edited the config.xml, you have to delete this file : /tmp/config.cache
Please explain, is this some kind of pfSense behavior? Or FreeBSD behavior?
-
@heper said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
https://redmine.pfsense.org/issues/11380
Thank You a lot, heper!
But I need not 1 or 5, but “XX” numbers of aliases to be added from dev pfSense. ;)
So, I'l try to find useful tool for bulk adding (not replacing!) rules and aliases from one DEVELOPER-pfSense -> PRODUCTION-pfSense.
Start to thinking the ability to adding rules/aliases need to be added to “Import pfSense configuration” section.
Who vote for this, guys? :)
P.S. Of course, making this Admin take all responsibility about misconfiguration on his own. But from other side, this ability to certain FW rules to conflict each other is not one that may broke pfSense in newbie's hands. ;)
-
Adding aliases should simply be a matter copy and pasting the <alias></alias> entries from the config.
The firewall rules are more difficult though since they may reference the wrong interfaces and the ordering is important.Steve
-
@heper said in bulk Import of ALIASES & fw RULES from external .xml as addition to existed already in pfSense:
aliases could possibly be done "easily" by the <new> aliasmod php shell script
https://redmine.pfsense.org/issues/11380
That was a neat tool
I just grabbed it for my 2.4.5-p1
fetch https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/861d6eef97bc14679db7818a33cd9193ffe2eaf6/raw/src/usr/local/bin/aliasmod
Seems to work fine (The alias must exist)
./aliasmod add IA_TEST_ALIAS 4.5.6.7 ./aliasmod del IA_TEST_ALIAS 1.2.3.4
Whipped up a "multi add" ...
No parm checking or ...multiadd <Alias-name> <file-containing-multi-ips>
./multiadd.sh IA_TEST_ALIAS ips.txt
#!/bin/sh ALIAS=$1 FILENAME=$2 exec 4<${FILENAME} # open file for read, assign descriptor echo "Opened ${FILENAME} for read using descriptor ${FD}" while read <&4 LINE do # do something with ${LINE} #echo ${LINE} echo aliasmod add $1 $LINE aliasmod add $1 $LINE done exec 4<&- # close file # ./aliasmod add ALIAS 4.5.6.7 exit
./multiadd.sh IA_TEST_ALIAS ips.txt Opened ips.txt for read using descriptor aliasmod add IA_TEST_ALIAS 1.2.3.4 aliasmod add IA_TEST_ALIAS 1.2.3.5 aliasmod add IA_TEST_ALIAS 1.2.3.6 aliasmod add IA_TEST_ALIAS 1.2.3.7 aliasmod add IA_TEST_ALIAS 1.2.3.8 aliasmod add IA_TEST_ALIAS 1.2.3.9
/Bingo
-
Cool thing!
Adding aliases is not that big deal even if there are >100
Adding and merging FW rules is a whole other ball game at least for me.... Burned my fingers a couple of times...