Migration from Linux iptables to pfsense. How'd you do that?

  • Hi list,

    I have an old linux fw (kernel 2.4.x) with iptables and want to set up pfsense with CARP bases on those rules. There are more that 600. I set up two boxes with CARP already a while ago. So I'm kind of familiar with it.

    The questions are 1. How to migrate and 2. How to manage 600 rules in the GUI.

    I found two promising approaches.

    Maybe someone has a script or an idea?

    That looks even better. Has someone tried that out? Kernel 2.4.x is supported though.

    Now managing the rules. A typical task for example is to find a particular host and grant access to ftp or ssh. As far as I saw it that could be quite tiresome given that you have hundreds of hosts. Am I just missing something here?



  • Rebel Alliance Developer Netgate

    Sounds like a good time to re-evaluate the ruleset and make use of Aliases to reduce that to a manageable set. It's unlikely that 600 unique rules would truly be required.

    easyrule might help but it's probably not flexible enough to do the whole job.

  • Well, the current rules on the Linux box are like this. host1 is allowed ftp and http, host2 ssh from 2 different addresses and https, host3 mysql to another host and so on. All that adds up to 600 rules. Maybe just 500 after cleansing.

    OK, then I try fwbuilder first.


  • i think it might be better to create groups ?
    as in an http-group with all hosts that are allowed to use http | and ftp-group with all hosts that are allowed to use ftp | ….
    that way you could seriously limit your FW-rules.

    btw replace "groups" with 'aliases' for use in pfSense

  • Thanks. I just played with aliases and rules a bit. I got the concept. That way I might have a few standard rules and a bunch of special ones and that's it.

  • I just had a look at fwbuilder. Alas it is too complicated and prone to flaws if you try to transform iptables to pf. Next problem is having a pf file which needs to be merged into the pfsense file. I read you shouldn't edit rules within the according file.

    Back to aliases. Often there is a host which is allowed http and https and ssh and ftp. In that case I have to put the same IP into four aliases? Is there a better approach?

    Sorry, but I really have a lot of hosts and hence rules which apparently need to be typed in by hand. Thus I want it to be as painless as possible.

Log in to reply