Copy Firewall Rules from a Interface to another.
-
Hi everyone.
I have a Firewall with 50 Firewall Rules over LAN Interface.
I have needed create two VLAN Interfaces and I would like know i there is any way to copy all Firewall Rules from LAN Interface to the new interfaces.
I know that one to one I can but would be very heavy.
Do you know if there is any other way?
Best regards
-
There's no way to that via the gui since you can't edit more than one rule at a time.
You could do it by editing the config directly and judicious use of find+replace. Easy to make a mistake doing that of course so make sure you can recover if the uploaded config causes a problem.
Steve
-
@stephenw10 , thanks so much by your answer.
Well, but I have some doubts.
By example:
I have this Firewall Rule over LAN Interface:
<rule> <id/> <tracker>1579262139</tracker> <type>pass</type> <interface>lan</interface> <ipprotocol>inet</ipprotocol> <tag/> <tagged/> <max/> <max-src-nodes/> <max-src-conn/> <max-src-states/> <statetimeout/> <statetype>keep state</statetype> <os/> <protocol>tcp/udp</protocol> <source> <any/> </source> <destination> <address>Private_Networks_RFC1918</address> <port>Internal_Ports_Allowed</port> </destination> <descr><![CDATA[Bypassing Policy]]></descr> <created> <time>1579262139</time> <username>user@10.55.0.250</username> </created> <updated> <time>1580385787</time> <username>user@10.55.0.250</username> </updated> </rule>And I want to copy it to Interface VLAN50 (opt5).
Do I just need to copy / paste the previous rule in de config file and only change "<interface>lan</interface>" by "<interface>opt5</interface>" or need to modiffy the "<tracker>", "<created>" and "<updated>" fields?
Best regards,
Ramsés
-
You don't need created or updated tags but you do need tracker tags with a unique static ID to match rules to logs. Which is why the created timestamp is used. It could be anything though as long as it doesn't clash with the base rule tracker IDs:
https://github.com/pfsense/pfsense/blob/master/src/etc/inc/filter.inc#L104Steve
-
Couldn't you create an interface group then move the rules from the LAN interface to the interface group that contains the LAN & OPT1 interface ?
https://docs.netgate.com/pfsense/en/latest/interfaces/interface-groups.html
-
Hmm, not sure I've ever tried that. But now I have; yes you could do that.
The rules are all the same for every interface though so you can't use LANnet etc.
Steve
-
You can just go to the rule.. create a copy and then edit the interface line and source address if needed.. When you save the rule it will show up in the correct place. 50 is a few to do but its pretty fool proof.
-
@chpalmer , thanks so much by your answer.
I need to copy about 50 Firewall Rules to 10 new Interfaces (VLAN) and modify later.
If I copy the rules one to one...
I need a method to copy multiples rules to one time.
Best regards,
Ramsés
-
@NogBadTheBad , thanks so much by your answer.
But I need personalize some rules later. If I create a Group Interface I can't do this because the rules are applied to all Interfaces in the group.
Another thing, can I create a Group Interface and apply Rules to the Group and the individual Interfaces that are included in the group?
If yes, wich rules predominate, he group rules or the individual rules of each interface in the group?
Anyway, thanks by the idea.
Best regards,
Ramsés
-
Rules on an interface group are parsed first. So anything matched by a rule there would never see rules on individual interfaces.
Floating rules are parsed before the group rules so it would be possible to add individual rules there but reading the ruleset would become...... difficult!
https://docs.netgate.com/pfsense/en/latest/firewall/firewall-rule-processing-order.html
Steve
-
@stephenw10 / @NogBadTheBad, thanks so much by your answers.
I have a pfSense in production and I have a new doubt:
If I create a Interface Group is the traffic disrupted un any moment?
Best regards,
Ramses
-
Simply creating the group will not do anything beyond giving you a new tab in Firewall > Rules.
Steve