Migration from Linux iptables to pfsense. How'd you do that?
I have an old linux fw (kernel 2.4.x) with iptables and want to set up pfsense with CARP bases on those rules. There are more that 600. I set up two boxes with CARP already a while ago. So I'm kind of familiar with it.
The questions are 1. How to migrate and 2. How to manage 600 rules in the GUI.
I found two promising approaches.
Maybe someone has a script or an idea?
That looks even better. Has someone tried that out? Kernel 2.4.x is supported though.
Now managing the rules. A typical task for example is to find a particular host and grant access to ftp or ssh. As far as I saw it that could be quite tiresome given that you have hundreds of hosts. Am I just missing something here?
Sounds like a good time to re-evaluate the ruleset and make use of Aliases to reduce that to a manageable set. It's unlikely that 600 unique rules would truly be required.
easyrule might help but it's probably not flexible enough to do the whole job.
Well, the current rules on the Linux box are like this. host1 is allowed ftp and http, host2 ssh from 2 different addresses and https, host3 mysql to another host and so on. All that adds up to 600 rules. Maybe just 500 after cleansing.
OK, then I try fwbuilder first.
i think it might be better to create groups ?
as in an http-group with all hosts that are allowed to use http | and ftp-group with all hosts that are allowed to use ftp | ….
that way you could seriously limit your FW-rules.
btw replace "groups" with 'aliases' for use in pfSense
Thanks. I just played with aliases and rules a bit. I got the concept. That way I might have a few standard rules and a bunch of special ones and that's it.
I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file.
Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach?
Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.