[c-nsp] Migration from IPFilter to IOS Firewall

Affan Basalamah affanzbasalamah at gmail.com
Fri Jun 8 12:55:10 EDT 2007 

Hi all,

Sorry for hijacking the thread,
I'm just looking for best practices for committing packet filter
changes from ipfilter to pf (that is the thing I want to do
immediately) and maybe I will change boxes from freebsd pf to
dedicated appliances box (such as ASA or SSG).

Since I have over 300 lines of ipf config, I need a better way to
migrate my ipf config rather than manually inspecting one line by one.
Maybe anyone could give me some suggestion.
Thanks!

-affan

On 6/8/07, Ted Mittelstaedt <tedm at toybox.placo.com> wrote:
>
> Your going to be better off sticking with your ipfilter solution -
> you do know you don't have to field it on a Sun, correct?
>
> The power available in off-the-shelf PC hardware is an order of
> magnitude greater than available in all but the most expensive
> Cisco routers.  Most Cisco routers running IOS Firewall would
> drown under a concerted DDoS attack that a modern PC wouldn't
> even notice.
>
> There's a lot of people that use routers for routing and PC's
> for firewalls and thus get a best-of-breed solution.
>
> NAT between the 2 systems is a wash - it's just not that intensive,
> unless you get a virus-infected system behind the address translator,
> and in that case it's better for the rest of us on the Internet if
> your infected network overflows your NAT device and thereby takes
> itself offline.
>
> But firewalling is a different animal.  Particularly since your
> very familiar with the ipfilter and not familiar with IOS Firewall
> feature set.
>
> Ted
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Sridhar Ayengar
> > Sent: Wednesday, June 06, 2007 1:10 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Migration from IPFilter to IOS Firewall
> >
> >
> >
> > I'm planning a migration for a single location from a Sun running
> > ipfilter (and ipnat) to a Cisco Router with IOS Firewall feature set.  I
> > am not particularly familiar with the IOS Firewall configuration.  I am,
> > however, very familiar with the configuration of ipfilter/ipnat.  With
> > the help of the IOS Firewall feature set docs, I'm muddling my way
> > towards a better understanding.
> >
> > What I'm wondering is, is there any information about there regarding
> > translating configuration from the ipfilter idiom to the IOS idiom?  Or
> > even the reverse?  Could anyone point me in the right direction?
> >
> > Thanks a bunch.
> >
> > Peace...  Sridhar
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list