Importing config from the "other" freebsd firewall?
-
Hi,
Is this still an option? I know when I moved from pfsense to opn, with some light editing of the xml file I was able to pull in some of the things that would be time-consuming, like aliases. I'd like to come back to pfsense for awhile to see how things compare, but would like to import as much of the config as I can. What's the current status of this?
Also what's the countdown on the AES-NI thing? Looks to be at least a year before this is forced, correct? I'm on a perfectly fine Core2Duo SFF Dell that remains healthy and has more than enough CPU for my needs.
-
@sporkme If they were once that similar, I think I'd build a base pfSense and export the config and do a side-by-side. Re. AES-NI that has been skipped for the present in both the current release and development versions.
-
Thanks - I'm installing pfsense in a VM with a matching number of ethernet interfaces and then I'll do some diffing of stuff after creating a basic config.
Great news on the AES-NI thing. Might actually buy new hardware by the time that rolls around.
-
Hmmm, they are diverging, but migrating chunks is possible.
Here's the opn format for aliases. Of note, it's nested within the firewall section. There is also a UUID attached, but that's simply ignored on input. Also "description" is "descr" and wrapped in CDATA tags, "content" needs to be combined to a single line and changed to "address", and the fields for "update frequency", "counter" and "enabled" can be removed:
<Firewall> <Alias version="1.0.0"> <aliases> <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61"> <enabled>1</enabled> <name>voip</name> <type>host</type> <proto/> <counters>0</counters> <updatefreq/> <content>10.3.2.19 10.3.2.20 10.3.2.21 10.3.2.51</content> <description>voip devices</description> </alias> </aliases> </Alias> </Firewall>
And the same after some massaging:
<aliases> <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61"> <enabled>1</enabled> <name>voip</name> <type>host</type> <address>10.3.2.19 10.3.2.20 10.3.2.21 10.3.2.51</address> <descr><![CDATA[voip devices]]></descr> </alias> </aliases>
-
Well, with a small amount of work I was able to grab the most time-consuming stuff for import: IP aliases and DHCP config (including all the reservations). Works great so far.
Now to continue testing and see if the panics I was seeing on the other firewall are hardware-related or (my suspicion) HardenedBSD-related.
If I had more time I'd be a true nerd and make a configuration transmogrifier that lets you flip-flop between these two vendors.. :)