Date: Sat, 12 Feb 2005 11:45:19 +0100 From: Erik Norgaard <norgaard@locolomo.org> To: Luciano Musacchio <l0kit0@exactas.org> Cc: freebsd-questions@freebsd.org Subject: Re: ipfilter2ipchains script? Message-ID: <420DDE3F.1060807@locolomo.org> In-Reply-To: <200502120158.59833.l0kit0@exactas.org> References: <200502120158.59833.l0kit0@exactas.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Luciano Musacchio wrote: > is there an ipfilter to ipchains conversion script or program?, > if not, whats the better solution for a newbie bsd admin to do > firewalls on linux? (long term plan is bsd-migration of course :) If you are migrating to bsd, I guess you want conversion ipchains -> ipfilter? In any case I wouldn't recommend scripting it, you have now an excelent oportunity to review your firewall rules. And, you really need to learn how to manage these rules on the new system. Secondly, it may not be posible at all: ipchains allows multiple entry points into a chain, in ipfilter the corresponding is groups, but groups allows only one entrypoint (head). ipchains is first match, ipfilter is last match, unless you specify quick. in ipchains, if no rules match in a chain, you always go back to the original, in ipfilter, you can specify "quick" in the head rule and only rules below that head will be matched against. ipchains uses somewhat obscure "masquerading" and a special forward chain. in ipfilter it's a separate nat ruleset. ipchains is stateless packet filtering, packets are allways run though the input and the output chain. In ipfilter, you can use keep state in the input filtering, then packets going through will only be filtered on the way in. In ipfilter, accounting is a separate ruleset, in ipchains IIRC you add a count keyword in the matching rule. etc... So, with all these differences and more, better start with the ipfilter howto - I needed to read it a few times before it really setled, don't just skim it. cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?420DDE3F.1060807>