Converting fbsd pf.conf to pfsense config.xml
-
Anyone have any tools for doing so, or general tips? I've yet to locate in the webUI a spot to change state-policy or state timeouts, create tables, handle 802.1q filtering, or rate limit overloading (dumping overflow into a pf table).
-
Some of those may only be possible on 2.0. State timeouts can be adjusted in a rule's advanced options. We don't have a GUI field to adjust state-policy. Tables in our GUI are called aliases. For VLANs just make a VLAN interface for each VLAN you want to access, instead of filtering in pf rules directly (unless I am not understanding how you're using that.) And as for rate limit overloading, I'm not sure on that one. The end result could probably be accomplished between various traffic shaper functions.
-
Meant the default timeouts. Such as:
set timeout tcp.first 2
set timeout tcp.established 3600
set timeout tcp.closing 2
set timeout tcp.closed 600set timeout udp.first 2
set timeout udp.multiple 3600set timeout icmp.first 2
set timeout other.first 2
set timeout other.multiple 3600set timeout adaptive.start 20000
set timeout adaptive.end 220000I am playing with 2.0, looks pretty good. Took a patch from FreeBSD mainline to support my 8 port serial card. Had to recompile the kernel with puc enabled for it to work, but it works like a charm. Overloading dumps excess entries into a table, which can be used for later processing. For example, I have different uplinks wrapped in different 802.1Q tags. When something passes reverse path verification (something else I can't yet locate), and exceeds 90 syns/min, it dumps the IP into the synflood table. 5 minutes later, it's removed.
I live in the CLI. However, the guy that pays my bills does not, and most of the people on my team are specialized in a specific talent. This means a GUI is needed. pfSense has impressed me, and once I become familiar with its source, I do plan on submitted many a patch.