Firewall Wizards mailing list archives

Re: ipfwadm X ipchains

From: William Stearns <wstearns () pobox com>
Date: Sun, 19 Sep 1999 13:21:16 -0400 (EDT)

Good day, Fabio and Dameon,

On 15 Sep 1999 dwelch () uswestmail net wrote:

On Mon, 13 September 1999, fgb () domain com br wrote:

Somebody can show me the advantages in migrating from ipfwadm to ipchains ? 
Are the ipfwadm/ipchains a secure firewall or should I look for a commercial one ?


It's similiar code (i.e. kernel-level packet filtering) with a
different interface, as near as I can tell. One advantage ipchains has
is that it's far easier to optimize your policy because you can create
different "chains," which allows you to only process certain rules
under certain conditions. For me, at least, it took pretty minimal
time to change my rules from ipfwadm to ipchains.


        Too true.  This can be used to simulate boolean 'and':
if packet matches requirements (A), jump to chain8
        and in chain8
if packet matches requirements (B), accept it
        Both A and B would have to be true for it to be accepted.  Quite
useful if A says "source address not in 127.0.0.1/8" and B says "source
address not in 192.168.0.0/24"

        ipchains also offers:
- the ability to filter on the inverse of a certain parameter, i.e. if the
packet _doesn't_ come in on eth0 or if the source address _isn't_ in the
network 192.168.1.0.  This makes spoof blocking possible right in the
firewall rules.
- support for icmp subcodes, allowing more fine grained filtering of icmp.

        The conversion should be quite simple; simply go to:
http://www.pobox.com/~wstearns/ipfwadm2ipchains/ and download the
ipfwadm2ipchains tool.  Feed your existing ipfwadm firewall file into
stdin and it will spit out the equivalent ipchains firewall.  Command line
examples are on the web page.  I also include instructions on how to
create a single script that works under ipfwadm and ipchains kernels.

        The 2.4.x kernel series, hopefully coming out in December, will
support iptables.  iptables has backwards compatibility modules for
running either ipfwadm or ipchains firewalls.  The native implementation
is extensible; anyone can create new loadable modules that provide either
new matching fields or new actions when a packet matches.  For example,
there's a module that allows matches on the source mac address.
        The extensibility means that IPX, Appletalk, and IPV6 modules are
also possible, though currently not available.
        There are a number of other benefits to the design.  See
http://www.samba.org/netfilter/ for howto documents and an archive of the
mailing list.
        The conversion to native iptables commands is a little hairier,
but I have a first pass at ipchains2iptables at:
ftp://slartibartfast.pa.net/pub/i2i/  .
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "``Threads are like salt.  You like salt, I like salt, but we eat a
lot more pasta than salt.''  The thread guys are trying to tell you that
diet of salt is a good idea.  They are wrong, don't listen, eat more 
pasta and be happy."
        -- Larry McVoy <lm () bitmover com>
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------

Current thread:

ipfwadm X ipchains fgb (Sep 14)
- Re: ipfwadm X ipchains Jan van Rensburg (Sep 18)
  - Re: ipfwadm X ipchains Siglite (Sep 21)
- Re: ipfwadm X ipchains Danny Rathjens (Sep 18)
- Re: ipfwadm X ipchains altellez (Sep 21)
- <Possible follow-ups>
- Re: ipfwadm X ipchains dwelch (Sep 18)
  - Re: ipfwadm X ipchains William Stearns (Sep 19)
- Re: ipfwadm X ipchains dwelch (Sep 21)
  - Re: ipfwadm X ipchains William Stearns (Sep 21)