Converting fbsd pf.conf to pfsense config.xml
Anyone have any tools for doing so, or general tips? I've yet to locate in the webUI a spot to change state-policy or state timeouts, create tables, handle 802.1q filtering, or rate limit overloading (dumping overflow into a pf table).
Some of those may only be possible on 2.0. State timeouts can be adjusted in a rule's advanced options. We don't have a GUI field to adjust state-policy. Tables in our GUI are called aliases. For VLANs just make a VLAN interface for each VLAN you want to access, instead of filtering in pf rules directly (unless I am not understanding how you're using that.) And as for rate limit overloading, I'm not sure on that one. The end result could probably be accomplished between various traffic shaper functions.
Meant the default timeouts. Such as:
set timeout tcp.first 2
set timeout tcp.established 3600
set timeout tcp.closing 2
set timeout tcp.closed 600
set timeout udp.first 2
set timeout udp.multiple 3600
set timeout icmp.first 2
set timeout other.first 2
set timeout other.multiple 3600
set timeout adaptive.start 20000
set timeout adaptive.end 220000
I am playing with 2.0, looks pretty good. Took a patch from FreeBSD mainline to support my 8 port serial card. Had to recompile the kernel with puc enabled for it to work, but it works like a charm. Overloading dumps excess entries into a table, which can be used for later processing. For example, I have different uplinks wrapped in different 802.1Q tags. When something passes reverse path verification (something else I can't yet locate), and exceeds 90 syns/min, it dumps the IP into the synflood table. 5 minutes later, it's removed.
I live in the CLI. However, the guy that pays my bills does not, and most of the people on my team are specialized in a specific talent. This means a GUI is needed. pfSense has impressed me, and once I become familiar with its source, I do plan on submitted many a patch.