Re: [Fwbuilder-discussion] shorewall to fwbuilder migration
Brought to you by:
mikehorn
From: Mike H. <mi...@fw...> - 2010-10-05 22:36:55
|
Hi Luc, Great to hear that you are looking to migrate to Firewall Builder. Are you already managing some other firewalls with Firewall Builder or will this be your first? Here are a few things to be aware of when you import rules from iptables in to Firewall Builder: *Object Duplication* When importing Firewall Builder will create automatically create objects for all the items it finds in the iptables rules. These objects are stored in the active library, which is the User library, unless you have created another library. After you import this means that you will end up with objects in the User library that "duplicate" objects in the Standard library. For example, if you have a rule that has a protocol TCP and destination port of 22 defined, Firewall Builder will create a TCP service object with destination port 22 which duplicates the predefined SSH TCP service object in the Standard library. After your import is complete you can use the Find function to find-and-replace to replace all the references to User library TCP service object with the Standard library TCP service object. *Module Support* If you are using any unusual iptables modules on your firewall these may not be imported perfectly. Firewall Builder supports many common modules and the import function will attempt to create Custom Service objects to emulate some modules that aren't supported natively, but you could find that you are using a module that isn't supported (if you do, please let us know so we can consider adding support for it). *Policy Objects / Chains* After you import the iptables rules the Policy objects for the firewall will match the exact set of chains with associated jumps (called branches in fwbuilder) that were used in the Shorewall firewall. This will be based on the structure optimized for Shorewall and may not be the way you want the rules to look in Firewall Builder. *Missing Advanced Features Like Groups* One of the powerful features of Firewall Builder is the ability to create group objects that include a set of objects that are used in a common rule. iptables does not natively support groups, so after you import you will end up with the same number of rules that were in the original iptables configuration. To take advantage of groups you will need to manually create groups and consolidate rules. Essentially you should be able to import the Shorewall rules in to Firewall Builder, but the configuration will not be optimized to take advantage of many of the features of Firewall Builder. With 700+ rules you will have decide on the trade-off between the time it takes to write the rules from scratch in Firewall Builder and the extra time it will take to maintain a configuration with a large number of rules that aren't optimized for the tool that is being used to manage the rules. Please let us know if you run in to any issues and/or if you have any questions. We hope to continue to improve the import feature in the future, so hearing about your experience would be helpful. Regards, -mike On Tue, Oct 5, 2010 at 1:50 PM, Luc Paulin <lp...@to...> wrote: > > We are in the process to upgrade our firewalls. One of them is still > configure with Shorewall. We would like to take this opportunity to > migrate rules/nat to fwbuilder. Our shorewall rules config contains over > 700 lines. > > Has anyone had experience migrating shorewall configuration to fwbuilder? > > I know that there's the import feature from an iptables-save file, which > I haven't tried yet, but I would like to know as per other's experience > what should be the best practice in migrating from shorewall to > fwbuilder. Has anyone have hints to share that may be usefull to migrate > to fwbuilder. > > > -- > !!!!! > ( o o ) > --------------oOO----(_)----OOo-------------- > Luc Paulin > Administrateur Systèmes > http://www.touchtunes.com/ > lpaulin(at)touchtunes.com > > > > CONFIDENTIALITY CAUTION > This e-mail and any attachments may be confidential or legally privileged. If you received this message in error or are not the intended recipient, you should destroy the e-mail message and any attachments or copies, and you are prohibited from retaining, distributing, disclosing or using any information contained herein. Please inform us of the erroneous delivery by return e-mail. Thank you for your cooperation. > DOCUMENT CONFIDENTIEL > Le présent courriel et tout fichier joint à celui-ci peuvent contenir des renseignements confidentiels ou privilégiés. Si cet envoi ne s'adresse pas à vous ou si vous l'avez reçu par erreur, vous devez l'effacer. Vous ne pouvez conserver, distribuer, communiquer ou utiliser les renseignements qu'il contient. Nous vous prions de nous signaler l'erreur par courriel. Merci de votre collaboration. > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |