converting weird bsd ipfw ruletable to asa/pix acl's

Unanswered Question
Mar 5th, 2008

Has anyone found a viable way of converting the very odd rule definitions of an ipfw on bsd to a usable format like acl's ? I am really breaking my brain with stuff like "skip" rules ? why would you wan't that and how can i convert that to a usable acl ? The manual way is killing me, cause skip seems to jump around in the ruleset on some specific traffic to a count rule and then some more rules, so the actual ruleset is not read on a first match only, but also jumps around to other parts of the rules at runtime.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
cisco24x7 Wed, 03/05/2008 - 17:07

The simple answer is NO. Pix lacks a lot

of the features that offers in other

firewalls. There are some vendors out there

that claimed that they can convert the

rulebase for you, such as Solsoft. I did

a project of converting checkpoint rule

into Pix rules and the configuration on

the Pix went up to 900K lines in the

configuration. Pix could not handle it

and blew up.

I've tried Solsoft and it can not do the

conversion either.

CCIE Security


This Discussion