Migration from Linux iptables to pfsense. How'd you do that?
-
Hi list,
I have an old linux fw (kernel 2.4.x) with iptables and want to set up pfsense with CARP bases on those rules. There are more that 600. I set up two boxes with CARP already a while ago. So I'm kind of familiar with it.
The questions are 1. How to migrate and 2. How to manage 600 rules in the GUI.
I found two promising approaches.
https://doc.pfsense.org/index.php/Adding_Rules_With_easyrule
Maybe someone has a script or an idea?http://www.fwbuilder.org/index.shtml
That looks even better. Has someone tried that out? Kernel 2.4.x is supported though.Now managing the rules. A typical task for example is to find a particular host and grant access to ftp or ssh. As far as I saw it that could be quite tiresome given that you have hundreds of hosts. Am I just missing something here?
Greetings,
senseless
-
Sounds like a good time to re-evaluate the ruleset and make use of Aliases to reduce that to a manageable set. It's unlikely that 600 unique rules would truly be required.
easyrule might help but it's probably not flexible enough to do the whole job.
-
Well, the current rules on the Linux box are like this. host1 is allowed ftp and http, host2 ssh from 2 different addresses and https, host3 mysql to another host and so on. All that adds up to 600 rules. Maybe just 500 after cleansing.
OK, then I try fwbuilder first.
senseless
-
i think it might be better to create groups ?
as in an http-group with all hosts that are allowed to use http | and ftp-group with all hosts that are allowed to use ftp | ….
that way you could seriously limit your FW-rules.btw replace "groups" with 'aliases' for use in pfSense
-
Thanks. I just played with aliases and rules a bit. I got the concept. That way I might have a few standard rules and a bunch of special ones and that's it.
-
I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file.
Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach?
Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.