Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Migration from Linux iptables to pfsense. How'd you do that?

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      senseless
      last edited by

      Hi list,

      I have an old linux fw (kernel 2.4.x) with iptables and want to set up pfsense with CARP bases on those rules. There are more that 600. I set up two boxes with CARP already a while ago. So I'm kind of familiar with it.

      The questions are 1. How to migrate and 2. How to manage 600 rules in the GUI.

      I found two promising approaches.

      https://doc.pfsense.org/index.php/Adding_Rules_With_easyrule
      Maybe someone has a script or an idea?

      http://www.fwbuilder.org/index.shtml
      That looks even better. Has someone tried that out? Kernel 2.4.x is supported though.

      Now managing the rules. A typical task for example is to find a particular host and grant access to ftp or ssh. As far as I saw it that could be quite tiresome given that you have hundreds of hosts. Am I just missing something here?

      Greetings,

      senseless

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Sounds like a good time to re-evaluate the ruleset and make use of Aliases to reduce that to a manageable set. It's unlikely that 600 unique rules would truly be required.

        easyrule might help but it's probably not flexible enough to do the whole job.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • S
          senseless
          last edited by

          Well, the current rules on the Linux box are like this. host1 is allowed ftp and http, host2 ssh from 2 different addresses and https, host3 mysql to another host and so on. All that adds up to 600 rules. Maybe just 500 after cleansing.

          OK, then I try fwbuilder first.

          senseless

          1 Reply Last reply Reply Quote 0
          • H
            heper
            last edited by

            i think it might be better to create groups ?
            as in an http-group with all hosts that are allowed to use http | and ftp-group with all hosts that are allowed to use ftp | ….
            that way you could seriously limit your FW-rules.

            btw replace "groups" with 'aliases' for use in pfSense

            1 Reply Last reply Reply Quote 0
            • S
              senseless
              last edited by

              Thanks. I just played with aliases and rules a bit. I got the concept. That way I might have a few standard rules and a bunch of special ones and that's it.

              1 Reply Last reply Reply Quote 0
              • S
                senseless
                last edited by

                I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file.

                Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach?

                Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.