Hello, Check out cp2fwbuilder at freshmeat.net.
I have never tried it so I can't comment on if its good or bad. //mb On Tue, Apr 30, 2002 at 04:17:10PM -0500, James Miller wrote: > Hi all, > > I've been lurking around this list for some time now. Finally speaking up. > We're setting up a lab to research a migration strategy from CP FW-1 4.1 to > iptables... Any suggestions/comments/scripts would be greatly welcomed. > Heck, I may even smell a HOWTO in this... ;) > > > Thanks, > Jim > > > James Miller, > Network Administrator > Simutronics Corporation > www.play.net > 636.946.4263 x113 > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Matthew G. Marsh > Sent: Tuesday, April 30, 2002 2:37 PM > To: Moti > Cc: netfilter > Subject: Re: A Script Syntax Question > > > On Mon, 29 Apr 2002, Moti wrote: > > > Hi , > > I'm moving our checkpoint firewall ( 4.1 ) to iptables and linux . > > this alone is worth your comments ;-) .. > > we have a lot of objects and i was thinking of a way to put them all in a > > script . > > i was wondering if anyone uses external files and loops for objects . > > i think an example will be more efficent ( my english sucks .. ) > > i have a file called internal_networks -> > > cat internal_networks > > > 192.168.0.0/24 > > 192.168.1.0/24 > > 192.168.2.0/24 > > and so on > > and the script has a loop > > for net in `cat internal_networks` ;do > > iptables -t nat -A PREROUTING -o eth0 -s $net -j MASQUARADE > > done > > Do it all the time. I have one main config file that lists "objects" - in > some cases these objects are actual such as 192.168.1.0/24 and in some > cases virtual as in "/etc/sysconfig/myinternalnets.conf". > > Then I have several function files that contain functions to do the > various stuff. FE: > > log_firewall() { > [ ${FWLOG} -eq 0 ] && return 0 > fwlog=0 > while [ $fwlog -lt $FWLOG_HIGH ]; do > for INT in `eval echo -n '$FWLOG_INT'$fwlog` ; do > for PROTO in `eval echo -n '$FWLOG_PROTO'$fwlog`; do > for PORTS in `eval echo -n '$FWLOG_PORTS'${fwlog}'_'${PROTO}`; do > pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \ > acctfwd -i $INT -p $PROTO -s 0/0 -d 0/0 --dport $PORTS - \ > j LOG --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ > --log-tcp-options --log-ip-options --log-level debug > pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables \ > -I acctin -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \ > --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ > --log-tcp-options --log-ip-options --log-level debug > pakfw "$INT:$PROTO:$PORTS" "log_firewall" /sbin/iptables -I \ > acctout -p $PROTO -s 0/0 -d 0/0 --dport $PORTS -j LOG \ > --log-prefix "In-$INT-Forward:" --log-tcp-sequence \ > --log-tcp-options --log-ip-options --log-level debug > done > done > done > fwlog=$((fwlog+=1)) > done > } &>/dev/null > > Which does a triple loop over the variables FWLOG_INT, FWLOG_PROTO, and > FWLOG_PORTS for each FWLOG_HIGH. These variables are coded in the firewall > logging file as in: > > # These define the packet logging for the interfaces. This is the standard > # logging through iptables. > FWLOG_HIGH=2 > FWLOG_INT0=eth0 > FWLOG_PROTO0="tcp udp" > FWLOG_PORTS0_tcp="0:21 23:79 81:1023" > FWLOG_PORTS0_udp="0:52 54:1023" > FWLOG_INT1=eth1 > FWLOG_PROTO1="tcp udp" > FWLOG_PORTS1_tcp="0:21 23:79 81:1023" > FWLOG_PORTS1_udp="0:52 54:1023" > > You get the picture... > > > will that be a good idea ? or would you recommend putting the vars n the > > script and looping it ( e.g INTERNAL_NETS=`blah blah ` ) > > thanks > > Moti > > You could probably write a simple parser for the objects.C and your *.W > files that generates most of the netfilter actions for you. I considered > this a while ago but decided it was too much work. But if you did write a > parser converter from FW-1 -> NetFilter that would be cool. > > -------------------------------------------------- > Matthew G. Marsh, President > Paktronix Systems LLC > 1506 North 59th Street > Omaha NE 68104 > Phone: (402) 932-7250 x101 > Email: [EMAIL PROTECTED] > WWW: http://www.paktronix.com > -------------------------------------------------- > > >
