How to go from iptables to pf?

iptables

Hi how to is possible to convert iptables rules into pf rules file?


Solution 1:

One method would be to use the application FWBuilder. It is primarily a graphical application that can be used to manage firewall rule sets. It also, however, has an import/export feature that can be used to translate between different firewall types. And yes, both iptables and pf are supported.

So it looks like FWBuilder is more tricksome than I remembered. While you can import rulesets from Cisco and IPTables, you cannot directly export. I went through the process of translating a desktop IPTables ruleset from iptables to pf, and it was a fair amount of effort. Whether it is easier than learning pf syntax and doing a manual conversion, I don't know. That being said, this is the process I took to go from iptables -> pf using fwbuilder.

  1. File -> Import Policy -> Select iptables rule file
  2. Set Platform = iptables, click Next
  3. Change New Firewall type to pf with appropriate Version and Host OS settings NewFirewall-EditFirewallSettings
  4. Create new Interface object AddNewInterface
  5. Change Direction in Policy frame to their correct direction (inbound/output/both)
  6. Add newly created interface to rules where appropriate
  7. Save to FWBuilder format -- File -> Save As -> Select filename to save as

From this point I used an iterative process to filter out any parse problems that fwbuilder had, primiarily the direction issues above and things like my rule to drop XMAS packets. I did this by issuing the compile commands directly, instead of using the interface.

  1. fwb_pf -v -f ~/sandbox/firewallwork/desktop_firewall -d ~/sandbox -o ~/sandbox/firewallwork/New\ Firewall.fw 'New Firewall'
  2. If no errors, stop, else
  3. Fix problem in interface
  4. File -> Save
  5. goto 1

This will, eventually, leave you with two files that contain your new pf firewall config, New Firewall.fw, and New Firewall.conf. To reiterate above, after refreshing my memory on the process I am a lot less excited about it as a truly useful solution. However, by comparing the output beside your original ruleset it may help you get a better understanding of how the pf rulesets are developed so you can start managing them yourself.

Solution 2:

Assuming your talking about Pfsense. No, this isn't possible, you'll have to enter them by hand.

Related

Xen and Ubuntu?
Trying to create a git repo that does an automatic checkout everytime someone updates origin
32 bit Small ec2-Instance or 64 bit Micro ec2-Instance?
Transparantly make multiple web applications available at a single address
Blocking facebook on company network
Why start script with /usr/bin/env python
Howto create redundant network on server
Forward already-running X-window-system applications through SSH
Documentation on Windows Hex Error Codes
where are kvm-snapshots stored?
Check port status on CentOS
DNS zone transfer (AXFR) failing