PFsense and IPtables



  • Hi all,

    I configured more 1000 rule sets in my iptables. Now I want to use pfsense  instead of iptables. Is it any good solutions for my migration?

    Thanks,
    Tom



  • Nothing built in to pfSense as far as I know.

    You could try FirewallBuilder.  It converts from various firewall rulesets.



  • This might help also, although it still may take some time to parse through the iptables rules - you could possibly do this using a bash or Perl script:

    https://doc.pfsense.org/index.php/Adding_Rules_With_easyrule



  • Depends on how you have configured IP Tables, you can do some nice things in it, which I'm not aware can be done in freeBSD PF.

    But if your rules are fairly simple you could create a simple equivalent rule in pfsense, export the backup, look at the xml backup file to understand how the rules are saved in XML and maybe parse the IPtables rules across into the XML backup before importing XML backup into pfsense.



  • iptables and PF are not very flexible together, and the pfsense rules are mainly working per interfaces (WAN, LAN, OPT…), depending where the packets are sent/arrived in first through the firewall, while you do everything manually with iptables.

    But if your rules are fairly simple you could create a simple equivalent rule in pfsense

    According to my experience, if your iptables rules are more advanced and contains for example the states, these one are automatically handled with pfsense, so you don't need to put a "return" rule, the equivalent of "RELATED,ESTABLISHED" is automatically used with pfsense, and so one…

    These two firewall are almost similar but doesn't work in the same way, and it's hard to explain, it depends of your configuration but I'm afraid you'll have to create again your rules for pfsense.

    The main advantage for pfsense is the alias.



  • I should have explained what you have explained to be clearer because like you say you dont need to bother with the back/return rule although I do agree with what you say, although have you created a chain to handle both TCP & UDP as one little trick for iptables?

    This probably best sums it up http://www.thegeekstuff.com/2011/01/iptables-fundamentals/
    Tables -> Chains -> Rules.

    I quite like iptables for the ability to have the control all in one place, like you say with the state handling, the traffic shaping but I write my iptables differently to all the documentation I have seen online and in books which makes iptables much much easier to work with and understand imo.

    Both are different beasts in implementation though, and to be clear what do you mean exactly by the Alias in pfsense?