From owner-freebsd-pf@FreeBSD.ORG Thu Feb 16 13:20:23 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EAF716A420 for ; Thu, 16 Feb 2006 13:20:23 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from vs3.bgnett.no (vs3.bgnett.no [194.54.96.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCC1C43D70 for ; Thu, 16 Feb 2006 13:20:18 +0000 (GMT) (envelope-from peter@bgnett.no) Received: from amidala.datadok.no (amidala.datadok.no [194.54.103.98]) by vs3.bgnett.no (8.12.9p2/8.12.9) with ESMTP id k1GDK40E055741 for ; Thu, 16 Feb 2006 14:20:05 +0100 (CET) (envelope-from peter@bgnett.no) To: freebsd-pf@freebsd.org References: <43F35750.7020701@veldy.net> From: peter@bgnett.no (Peter N. M. Hansteen) Date: Thu, 16 Feb 2006 14:17:47 +0100 In-Reply-To: <43F35750.7020701@veldy.net> (Thomas T. Veldhouse's message of "Wed, 15 Feb 2006 10:31:12 -0600") Message-ID: <86accr7890.fsf@amidala.datadok.no> User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-bgnett.no-virusscanner: Found to be clean X-bgnett.no-SpamScore: s X-Envelope-To: freebsd-pf@freebsd.org Subject: Re: PF --> IPTABLES Conversion? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Feb 2006 13:20:23 -0000 "Thomas T. Veldhouse" writes: > Does anybody know if there is a conversion tool to convert PF scripts > over to IPTables scripts? I had originally decided it was best to keep my mouth shut about IPTables in public, but, well, frankly the cover of the March 2006 Linux Journal really sums it all up for me. Cover bottom left tempts prospective readers with what appears to be a very useful article: "Perl script your way to firewall security" > I have a firewall that is working nicely using PF and FreeBSD, but I > have a machine that I need to setup for a friend that has a similar > configuration, but will be running Linux. Rather than learn IPTables > outright, I was hoping that there might be a scripting utility to help > get me 90% of the way. In my limited experience, if you've gotten used to PF, the only thing you will gain by going to IPTables is a catalogue of profound reasons to hate IPTables and the people who force you to use the thing. If you are used to IPTables, going to PF you will initally refuse to believe that firewall adminning can be that pleasant. Recovering IPTables sufferers tend to quintuple-check their working PF rulesets in disbelief and still end up with rule sets which are way too complicated for their needs. But if there is no way around it, Max' suggestion that fwbuilder is likely to be useful is about as good advice as you can get. Mind you, with IPTables the need for a point'n'click front end to your rule set is a lot bigger than if you stay with PF. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.