4. Importing config from the "other" freebsd firewall?

Importing config from the "other" freebsd firewall?

  • S

    Hi,

    Is this still an option? I know when I moved from pfsense to opn, with some light editing of the xml file I was able to pull in some of the things that would be time-consuming, like aliases. I'd like to come back to pfsense for awhile to see how things compare, but would like to import as much of the config as I can. What's the current status of this?

    Also what's the countdown on the AES-NI thing? Looks to be at least a year before this is forced, correct? I'm on a perfectly fine Core2Duo SFF Dell that remains healthy and has more than enough CPU for my needs.

    0
    P
     1 Reply
  • P

    @sporkme If they were once that similar, I think I'd build a base pfSense and export the config and do a side-by-side. Re. AES-NI that has been skipped for the present in both the current release and development versions.

    1
  • S

    Thanks - I'm installing pfsense in a VM with a matching number of ethernet interfaces and then I'll do some diffing of stuff after creating a basic config.

    Great news on the AES-NI thing. Might actually buy new hardware by the time that rolls around.

    0
    S
     1 Reply
  • S

    Hmmm, they are diverging, but migrating chunks is possible.

    Here's the opn format for aliases. Of note, it's nested within the firewall section. There is also a UUID attached, but that's simply ignored on input. Also "description" is "descr" and wrapped in CDATA tags, "content" needs to be combined to a single line and changed to "address", and the fields for "update frequency", "counter" and "enabled" can be removed:

    <Firewall>
  <Alias version="1.0.0">
    <aliases>
      <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
                  <enabled>1</enabled>
                  <name>voip</name>
                  <type>host</type>
                  <proto/>
                  <counters>0</counters>
                  <updatefreq/>
                  <content>10.3.2.19
      10.3.2.20
      10.3.2.21
      10.3.2.51</content>
                  <description>voip devices</description>
                </alias>
   </aliases>
  </Alias>
</Firewall>

    And the same after some massaging:

    <aliases>  
<alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
	<enabled>1</enabled>
	<name>voip</name>
	<type>host</type>
	<address>10.3.2.19 10.3.2.20 10.3.2.21 10.3.2.51</address>
	<descr><![CDATA[voip devices]]></descr>
  </alias>
</aliases>
    0
  • S

    Well, with a small amount of work I was able to grab the most time-consuming stuff for import: IP aliases and DHCP config (including all the reservations). Works great so far.

    Now to continue testing and see if the panics I was seeing on the other firewall are hardware-related or (my suspicion) HardenedBSD-related.

    If I had more time I'd be a true nerd and make a configuration transmogrifier that lets you flip-flop between these two vendors.. :)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy