Migration from Linux iptables to pfsense. How'd you do that?



  • Hi list,

    I have an old linux fw (kernel 2.4.x) with iptables and want to set up pfsense with CARP bases on those rules. There are more that 600. I set up two boxes with CARP already a while ago. So I'm kind of familiar with it.

    The questions are 1. How to migrate and 2. How to manage 600 rules in the GUI.

    I found two promising approaches.

    https://doc.pfsense.org/index.php/Adding_Rules_With_easyrule
    Maybe someone has a script or an idea?

    http://www.fwbuilder.org/index.shtml
    That looks even better. Has someone tried that out? Kernel 2.4.x is supported though.

    Now managing the rules. A typical task for example is to find a particular host and grant access to ftp or ssh. As far as I saw it that could be quite tiresome given that you have hundreds of hosts. Am I just missing something here?

    Greetings,

    senseless


  • Rebel Alliance Developer Netgate

    Sounds like a good time to re-evaluate the ruleset and make use of Aliases to reduce that to a manageable set. It's unlikely that 600 unique rules would truly be required.

    easyrule might help but it's probably not flexible enough to do the whole job.



  • Well, the current rules on the Linux box are like this. host1 is allowed ftp and http, host2 ssh from 2 different addresses and https, host3 mysql to another host and so on. All that adds up to 600 rules. Maybe just 500 after cleansing.

    OK, then I try fwbuilder first.

    senseless



  • i think it might be better to create groups ?
    as in an http-group with all hosts that are allowed to use http | and ftp-group with all hosts that are allowed to use ftp | ….
    that way you could seriously limit your FW-rules.

    btw replace "groups" with 'aliases' for use in pfSense



  • Thanks. I just played with aliases and rules a bit. I got the concept. That way I might have a few standard rules and a bunch of special ones and that's it.



  • I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file.

    Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach?

    Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.