Firewall Wizards mailing list archives
Re: ipfwadm X ipchains
From: William Stearns <wstearns () pobox com>
Date: Sun, 19 Sep 1999 13:21:16 -0400 (EDT)
Good day, Fabio and Dameon, On 15 Sep 1999 dwelch () uswestmail net wrote:
On Mon, 13 September 1999, fgb () domain com br wrote:Somebody can show me the advantages in migrating from ipfwadm to ipchains ? Are the ipfwadm/ipchains a secure firewall or should I look for a commercial one ?It's similiar code (i.e. kernel-level packet filtering) with a different interface, as near as I can tell. One advantage ipchains has is that it's far easier to optimize your policy because you can create different "chains," which allows you to only process certain rules under certain conditions. For me, at least, it took pretty minimal time to change my rules from ipfwadm to ipchains.
Too true. This can be used to simulate boolean 'and': if packet matches requirements (A), jump to chain8 and in chain8 if packet matches requirements (B), accept it Both A and B would have to be true for it to be accepted. Quite useful if A says "source address not in 127.0.0.1/8" and B says "source address not in 192.168.0.0/24" ipchains also offers: - the ability to filter on the inverse of a certain parameter, i.e. if the packet _doesn't_ come in on eth0 or if the source address _isn't_ in the network 192.168.1.0. This makes spoof blocking possible right in the firewall rules. - support for icmp subcodes, allowing more fine grained filtering of icmp. The conversion should be quite simple; simply go to: http://www.pobox.com/~wstearns/ipfwadm2ipchains/ and download the ipfwadm2ipchains tool. Feed your existing ipfwadm firewall file into stdin and it will spit out the equivalent ipchains firewall. Command line examples are on the web page. I also include instructions on how to create a single script that works under ipfwadm and ipchains kernels. The 2.4.x kernel series, hopefully coming out in December, will support iptables. iptables has backwards compatibility modules for running either ipfwadm or ipchains firewalls. The native implementation is extensible; anyone can create new loadable modules that provide either new matching fields or new actions when a packet matches. For example, there's a module that allows matches on the source mac address. The extensibility means that IPX, Appletalk, and IPV6 modules are also possible, though currently not available. There are a number of other benefits to the design. See http://www.samba.org/netfilter/ for howto documents and an archive of the mailing list. The conversion to native iptables commands is a little hairier, but I have a first pass at ipchains2iptables at: ftp://slartibartfast.pa.net/pub/i2i/ . Cheers, - Bill --------------------------------------------------------------------------- "``Threads are like salt. You like salt, I like salt, but we eat a lot more pasta than salt.'' The thread guys are trying to tell you that diet of salt is a good idea. They are wrong, don't listen, eat more pasta and be happy." -- Larry McVoy <lm () bitmover com> -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, named2hosts, and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/ --------------------------------------------------------------------------
Current thread:
- ipfwadm X ipchains fgb (Sep 14)
- Re: ipfwadm X ipchains Jan van Rensburg (Sep 18)
- Re: ipfwadm X ipchains Siglite (Sep 21)
- Re: ipfwadm X ipchains Danny Rathjens (Sep 18)
- Re: ipfwadm X ipchains altellez (Sep 21)
- <Possible follow-ups>
- Re: ipfwadm X ipchains dwelch (Sep 18)
- Re: ipfwadm X ipchains William Stearns (Sep 19)
- Re: ipfwadm X ipchains dwelch (Sep 21)
- Re: ipfwadm X ipchains William Stearns (Sep 21)
- Re: ipfwadm X ipchains Jan van Rensburg (Sep 18)