How to Import 3000+ line Cisco Ingress ACL into pfsense



  • I have an existing IP and port block list about 3000+ lines as an ingress ACL on a router.  On another system I am unable to apply this ACL on the L2 switch that pfsense is connected to.  I am at a loss as to a way to import this cisco extended ACL into the running pfsense.  It will be too big a pain to enter line for line.  Any suggestions?


  • Rebel Alliance Developer Netgate

    If you can convert it to a simple list of CIDR nets or IPs (some command line tools might help there, some sed or scripting mojo) you can use the "upload" feature on the alias list to bring it in. It looks like an "^" button on the aliases screen. It gives you a large text area in which you can paste the list.

    If that doesn't work, you can always import it as a URL or URL table alias using a web server with the list of CIDR nets/IPs in a text file there.



  • Make few sample firewall rules on your pfsense, then take a look at /conf/config.xml
    Your firewall rules are there as XML.

    Then parse your 3000+ lines of ACLs in your favorite shell/language and generate the required XML.
    Insert the XML to /conf/config.xml
    Then execute /etc/rc.reload_all

    If all ok - you will be able to see all your new rules in the GUI. Click Save and Apply there, then just in case check syslog for any possible errors.



  • What Jim said. If you're on a Windows box, try Ted Notepad (http://jsimlo.sk/notepad/).


Log in to reply