[pfSense Support] Large Aliases
Is there any undocumented tricks to creating large aliases other than by hand? I have some I need to create with maybe 100 or more small networks. Can I import the list at the cli somehow and have the gui acknowledge them? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Large Aliases
You can export a configuration file to see the file structure, build a configuration backup that has the aliases in it based on the sample, and then restore your backup. That's what we did. -- Moshe Katz KatzNet Computers -- mo...@ymkatz.net -- +1(301)867-3732 On Mon, Aug 23, 2010 at 11:04 AM, Joseph L. Casale jcas...@activenetwerx.com wrote: Is there any undocumented tricks to creating large aliases other than by hand? I have some I need to create with maybe 100 or more small networks. Can I import the list at the cli somehow and have the gui acknowledge them? Thanks! jlc - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Large Aliases
You can export a configuration file to see the file structure, build a configuration backup that has the aliases in it based on the sample, and then restore your backup. That's what we did. That’s a good idea, but the lists need updating and something scriptable would be easier so I could do this at the cli less obtrusively... Thanks, jlc
Re: [pfSense Support] Large Aliases
Quoting Joseph L. Casale (from 24/08/10 04:23): You can export a configuration file to see the file structure, build a configuration backup that has the aliases in it based on the sample, and then restore your backup. That's what we did. That’s a good idea, but the lists need updating and something scriptable would be easier so I could do this at the cli less obtrusively... You can make some nice scripts with xmlstarlet (http://xmlstar.sourceforge.net/), and automate additions to the configuration from there; but there will always be some interruption when you reload in order to get the new config. Perhaps there's another way; what are you doing this for? Instead of basing rules on a large set of aliases that you have to update regularly, is there some other characteristic you can group your rules by? (AKA 'describe the original problem, not just the one step you're stuck on') -jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Large Aliases
Hi, Op 23 aug 2010, om 21:08 heeft Jim Cheetham het volgende geschreven: Perhaps there's another way; what are you doing this for? Instead of basing rules on a large set of aliases that you have to update regularly, is there some other characteristic you can group your rules by? (AKA 'describe the original problem, not just the one step you're stuck on') Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. Regards, Seth - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
Re: [pfSense Support] Large Aliases
On 8/23/2010 3:12 PM, Seth Mos wrote: Hi, Op 23 aug 2010, om 21:08 heeft Jim Cheetham het volgende geschreven: Perhaps there's another way; what are you doing this for? Instead of basing rules on a large set of aliases that you have to update regularly, is there some other characteristic you can group your rules by? (AKA 'describe the original problem, not just the one step you're stuck on') Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. In 2.0 we also have a URL table alias type that can periodically update its contents from a URL that has IP and IP/CIDR format entries (one per line). We've tried it with 40k+ entries and it works fine. You can't edit the lists on the box though, they only refresh via the contents of the URL. There was no practical way to handle editing that large of a list in the GUI and storing the data in the actual XML file. There is a package for 1.2.3 that imports that functionality as well. Jim - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
RE: [pfSense Support] Large Aliases
Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. In 2.0 we also have a URL table alias type that can periodically update its contents from a URL that has IP and IP/CIDR format entries (one per line). We've tried it with 40k+ entries and it works fine. You can't edit the lists on the box though, they only refresh via the contents of the URL. There was no practical way to handle editing that large of a list in the GUI and storing the data in the actual XML file. There is a package for 1.2.3 that imports that functionality as well. This is exactly what I need, the Country Block package was what I wanted but I need finer grained control, so an Alias to work with would do this. A quick pfctl show of the Table enumerated as expected. How does one keep an eye on this? I am confused with the update frequency versus no cron job added msg? Thanks guys! jlc
Re: [pfSense Support] Large Aliases
On 8/23/2010 6:20 PM, Joseph L. Casale wrote: Also, in 2.0 we have support for nested aliases. What you can do with this is pretty straightforward ofcourse. You can then update 1 specific alias which is part of the parent alias. This should make management a lot easier, the chances of error smaller and possibly the number of firewall rules smaller. In 2.0 we also have a URL table alias type that can periodically update its contents from a URL that has IP and IP/CIDR format entries (one per line). We've tried it with 40k+ entries and it works fine. You can't edit the lists on the box though, they only refresh via the contents of the URL. There was no practical way to handle editing that large of a list in the GUI and storing the data in the actual XML file. There is a package for 1.2.3 that imports that functionality as well. This is exactly what I need, the Country Block package was what I wanted but I need finer grained control, so an Alias to work with would do this. A quick pfctl show of the Table enumerated as expected. How does one keep an eye on this? I am confused with the update frequency versus no cron job added msg? The cron job isn't automatically added in 1.2.3 (or 2.0 yet, haven't added it to the config, but that should happen soon) but you can add your own cron job to run daily that calls /etc/rc.update_urltables. It's easy to do with the cron package that's out there too. If you want to check the contents of the table, use pfctl -T show -t name where name is the name of your alias. - To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org
