Re: [Fwbuilder-discussion] shorewall to fwbuilder migration

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Luc,

Great to hear that you are looking to migrate to Firewall Builder.  Are you
already managing some other firewalls with Firewall Builder or will this be
your first?  Here are a few things to be aware of when you import rules from
iptables in to Firewall Builder:

*Object Duplication*

When importing Firewall Builder will create automatically create objects for
all the items it finds in the iptables rules.  These objects are stored in
the active library, which is the User library, unless you have created
another library.  After you import this means that you will end up with
objects in the User library that "duplicate" objects in the Standard
library.  For example, if you have a rule that has a protocol TCP and
destination port of 22 defined, Firewall Builder will create a TCP service
object with destination port 22 which duplicates the predefined SSH TCP
service object in the Standard library.  After your import is complete you
can use the Find function to find-and-replace to replace all the references
to User library TCP service object with the Standard library TCP service
object.

*Module Support*

If you are using any unusual iptables modules on your firewall these may not
be imported perfectly.  Firewall Builder supports many common modules and
the import function will attempt to create Custom Service objects to emulate
some modules that aren't supported natively, but you could find that you are
using a module that isn't supported (if you do, please let us know so we can
consider adding support for it).

*Policy Objects / Chains*

After you import the iptables rules the Policy objects for the firewall will
match the exact set of chains with associated jumps (called branches in
fwbuilder) that were used in the Shorewall firewall.  This will be based on
the structure optimized for Shorewall and may not be the way you want the
rules to look in Firewall Builder.

*Missing Advanced Features Like Groups*

One of the powerful features of Firewall Builder is the ability to create
group objects that include a set of objects that are used in a common rule.
 iptables does not natively support groups, so after you import you will end
up with the same number of rules that were in the original iptables
configuration.  To take advantage of groups you will need to manually create
groups and consolidate rules.

Essentially you should be able to import the Shorewall rules in to Firewall
Builder, but the configuration will not be optimized to take advantage of
many of the features of Firewall Builder.  With 700+ rules you will have
decide on the trade-off between the time it takes to write the rules from
scratch in Firewall Builder and the extra time it will take to maintain a
configuration with a large number of rules that aren't optimized for the
tool that is being used to manage the rules.

Please let us know if you run in to any issues and/or if you have any
questions.  We hope to continue to improve the import feature in the future,
so hearing about your experience would be helpful.

Regards,

-mike

On Tue, Oct 5, 2010 at 1:50 PM, Luc Paulin <lp...@to...> wrote:
>
> We are in the process to upgrade our firewalls. One of them is still
> configure with Shorewall. We would like to take this opportunity to
> migrate rules/nat to fwbuilder. Our shorewall rules config contains over
> 700 lines.
>
> Has anyone had experience migrating shorewall configuration to fwbuilder?
>
> I know that there's the import feature from an iptables-save file, which
> I haven't tried yet, but I would like to know as per other's experience
> what should be the best practice in migrating from shorewall to
> fwbuilder. Has anyone have hints to share that may be usefull to migrate
> to fwbuilder.
>
>
> --
>                      !!!!!
>                     ( o o )
>  --------------oOO----(_)----OOo--------------
>    Luc Paulin
>    Administrateur Systèmes
>    http://www.touchtunes.com/
>    lpaulin(at)touchtunes.com
>
>
>
> CONFIDENTIALITY CAUTION
> This e-mail and any attachments may be confidential or legally privileged.
If you received this message in error or are not the intended recipient, you
should destroy the e-mail message and any attachments or copies, and you are
prohibited from retaining, distributing, disclosing or using any information
contained herein. Please inform us of the erroneous delivery by return
e-mail. Thank you for your cooperation.
> DOCUMENT CONFIDENTIEL
> Le présent courriel et tout fichier joint à celui-ci peuvent contenir des
renseignements confidentiels ou privilégiés. Si cet envoi ne s'adresse pas à
vous ou si vous l'avez reçu par erreur, vous devez l'effacer. Vous ne pouvez
conserver, distribuer, communiquer ou utiliser les renseignements qu'il
contient. Nous vous prions de nous signaler l'erreur par courriel. Merci de
votre collaboration.
>
>
------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
> Spend less time writing and  rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwb...@li...
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>