Importing config from the "other" freebsd firewall?



  • Hi,

    Is this still an option? I know when I moved from pfsense to opn, with some light editing of the xml file I was able to pull in some of the things that would be time-consuming, like aliases. I'd like to come back to pfsense for awhile to see how things compare, but would like to import as much of the config as I can. What's the current status of this?

    Also what's the countdown on the AES-NI thing? Looks to be at least a year before this is forced, correct? I'm on a perfectly fine Core2Duo SFF Dell that remains healthy and has more than enough CPU for my needs.



  • @sporkme If they were once that similar, I think I'd build a base pfSense and export the config and do a side-by-side. Re. AES-NI that has been skipped for the present in both the current release and development versions.



  • Thanks - I'm installing pfsense in a VM with a matching number of ethernet interfaces and then I'll do some diffing of stuff after creating a basic config.

    Great news on the AES-NI thing. Might actually buy new hardware by the time that rolls around.



  • Hmmm, they are diverging, but migrating chunks is possible.

    Here's the opn format for aliases. Of note, it's nested within the firewall section. There is also a UUID attached, but that's simply ignored on input. Also "description" is "descr" and wrapped in CDATA tags, "content" needs to be combined to a single line and changed to "address", and the fields for "update frequency", "counter" and "enabled" can be removed:

    <Firewall>
      <Alias version="1.0.0">
        <aliases>
          <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
                      <enabled>1</enabled>
                      <name>voip</name>
                      <type>host</type>
                      <proto/>
                      <counters>0</counters>
                      <updatefreq/>
                      <content>10.3.2.19
          10.3.2.20
          10.3.2.21
          10.3.2.51</content>
                      <description>voip devices</description>
                    </alias>
       </aliases>
      </Alias>
    </Firewall>
    

    And the same after some massaging:

    <aliases>  
    <alias uuid="e64c76f3-49bb-4b8c-8f77-440bbe964e61">
    	<enabled>1</enabled>
    	<name>voip</name>
    	<type>host</type>
    	<address>10.3.2.19 10.3.2.20 10.3.2.21 10.3.2.51</address>
    	<descr><![CDATA[voip devices]]></descr>
      </alias>
    </aliases>
    


  • Well, with a small amount of work I was able to grab the most time-consuming stuff for import: IP aliases and DHCP config (including all the reservations). Works great so far.

    Now to continue testing and see if the panics I was seeing on the other firewall are hardware-related or (my suspicion) HardenedBSD-related.

    If I had more time I'd be a true nerd and make a configuration transmogrifier that lets you flip-flop between these two vendors.. :)


Log in to reply