ipfilter2ipchains script?

[Erik Norgaard]

Luciano Musacchio wrote:
> is there an ipfilter to ipchains conversion script or program?,
> if not, whats the better solution for a newbie bsd admin to do
> firewalls on linux? (long term plan is bsd-migration of course :)

If you are migrating to bsd, I guess you want conversion ipchains -> 
ipfilter? In any case I wouldn't recommend scripting it, you have now an 
excelent oportunity to review your firewall rules. And, you really need 
to learn how to manage these rules on the new system.

Secondly, it may not be posible at all:

ipchains allows multiple entry points into a chain, in ipfilter the 
corresponding is groups, but groups allows only one entrypoint (head).

ipchains is first match, ipfilter is last match, unless you specify quick.

in ipchains, if no rules match in a chain, you always go back to the 
original, in ipfilter, you can specify "quick" in the head rule and only 
rules below that head will be matched against.

ipchains uses somewhat obscure "masquerading" and a special forward 
chain. in ipfilter it's a separate nat ruleset.

ipchains is stateless packet filtering, packets are allways run though 
the input and the output chain. In ipfilter, you can use keep state in 
the input filtering, then packets going through will only be filtered on 
the way in.

In ipfilter, accounting is a separate ruleset, in ipchains IIRC you add 
a count keyword in the matching rule.

etc...

So, with all these differences and more, better start with the ipfilter 
howto - I needed to read it a few times before it really setled, don't 
just skim it.

cheers, Erik
-- 
Ph: +34.666334818                           web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID:  A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22:DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73:25:67:C2