From owner-freebsd-questions@FreeBSD.ORG Sat Feb 12 10:45:23 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24F6116A4CE for ; Sat, 12 Feb 2005 10:45:23 +0000 (GMT) Received: from top.daemonsecurity.com (FW-182-254.go.retevision.es [62.174.254.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 913F343D1D for ; Sat, 12 Feb 2005 10:45:22 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [192.168.0.32] (charm.daemonsecurity.com [192.168.0.32]) by top.daemonsecurity.com (Postfix) with ESMTP id 356FBFD01F; Sat, 12 Feb 2005 11:45:21 +0100 (CET) Message-ID: <420DDE3F.1060807@locolomo.org> Date: Sat, 12 Feb 2005 11:45:19 +0100 From: Erik Norgaard User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20050127 X-Accept-Language: en, en-us, da, it, es MIME-Version: 1.0 To: Luciano Musacchio References: <200502120158.59833.l0kit0@exactas.org> In-Reply-To: <200502120158.59833.l0kit0@exactas.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: ipfilter2ipchains script? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Feb 2005 10:45:23 -0000 Luciano Musacchio wrote: > is there an ipfilter to ipchains conversion script or program?, > if not, whats the better solution for a newbie bsd admin to do > firewalls on linux? (long term plan is bsd-migration of course :) If you are migrating to bsd, I guess you want conversion ipchains -> ipfilter? In any case I wouldn't recommend scripting it, you have now an excelent oportunity to review your firewall rules. And, you really need to learn how to manage these rules on the new system. Secondly, it may not be posible at all: ipchains allows multiple entry points into a chain, in ipfilter the corresponding is groups, but groups allows only one entrypoint (head). ipchains is first match, ipfilter is last match, unless you specify quick. in ipchains, if no rules match in a chain, you always go back to the original, in ipfilter, you can specify "quick" in the head rule and only rules below that head will be matched against. ipchains uses somewhat obscure "masquerading" and a special forward chain. in ipfilter it's a separate nat ruleset. ipchains is stateless packet filtering, packets are allways run though the input and the output chain. In ipfilter, you can use keep state in the input filtering, then packets going through will only be filtered on the way in. In ipfilter, accounting is a separate ruleset, in ipchains IIRC you add a count keyword in the matching rule. etc... So, with all these differences and more, better start with the ipfilter howto - I needed to read it a few times before it really setled, don't just skim it. cheers, Erik -- Ph: +34.666334818 web: http://www.locolomo.org S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9 Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2