Converting fbsd pf.conf to pfsense config.xml

  • Anyone have any tools for doing so, or general tips? I've yet to locate in the webUI a spot to change state-policy or state timeouts, create tables, handle 802.1q filtering, or rate limit overloading (dumping overflow into a pf table).

  • Rebel Alliance Developer Netgate

    Some of those may only be possible on 2.0. State timeouts can be adjusted in a rule's advanced options. We don't have a GUI field to adjust state-policy. Tables in our GUI are called aliases. For VLANs just make a VLAN interface for each VLAN you want to access, instead of filtering in pf rules directly (unless I am not understanding how you're using that.) And as for rate limit overloading, I'm not sure on that one. The end result could probably be accomplished between various traffic shaper functions.

  • Meant the default timeouts. Such as:

    set timeout tcp.first 2
    set timeout tcp.established 3600
    set timeout tcp.closing 2
    set timeout tcp.closed 600

    set timeout udp.first 2
    set timeout udp.multiple 3600

    set timeout icmp.first 2

    set timeout other.first 2
    set timeout other.multiple 3600

    set timeout adaptive.start 20000
    set timeout adaptive.end 220000

    I am playing with 2.0, looks pretty good. Took a patch from FreeBSD mainline to support my 8 port serial card. Had to recompile the kernel with puc enabled for it to work, but it works like a charm. Overloading dumps excess entries into a table, which can be used for later processing. For example, I have different uplinks wrapped in different 802.1Q tags. When something passes reverse path verification (something else I can't yet locate), and exceeds 90 syns/min, it dumps the IP into the synflood table. 5 minutes later, it's removed.

    I live in the CLI. However, the guy that pays my bills does not, and most of the people on my team are specialized in a specific talent. This means a GUI is needed. pfSense has impressed me, and once I become familiar with its source, I do plan on submitted many a patch.

Log in to reply