Main section

This is the ipfwadm2ipchains script, designed to convert ipfwadm rulesets into ipchains rulesets. Simply feed it your ipfwadm rules via stdin and it will print out the corresponding ipchains rules.

For example, here's our example ipfwadm firewall, stored in rust.examples:

ipfwadm -F  -p deny
ipfwadm -F -a m -S -D
ipfwadm -I -a accept -V -S -D

Process it with ipfwadm2ipchains, like so:

cat rust.examples | ipfwadm2ipchains >rust.ipchains

and you get the output file rust.ipchains:

ipchains -P forward DENY
ipchains -A forward -j MASQ -s -d
ipchains -A input -j ACCEPT -i eth0 -s -d

Neat trick

Make a file called new_rules and place the following lines in it:

if [ -f /proc/net/ip_fwchains ]; then
The contents of your new ipchains ruleset file
elif [ -f /proc/net/ip_input ]; then
The contents of your original ipfwadm ruleset file

This new combined file will work under both an ipchains and an ipfwadm kernel.

Known issues


For a complete list of all files, see filelist.html.

To download one of the following, right click on it and choose "Save link as..." or something like that. /usr/bin/ might be an appropriate place for it.

ipfwadm2ipchains (the latest version).

Version 0.5.2. 0.5.2 handles blank lines in input correctly.

Version 0.5.1. I made a mistake in 0.5.0 in the "Insert Rule" conversion by reversing the rule name and number.

Version 0.5.0.

This first release needs some testing; let me know what you find.

dotfile-prep. I wrote a small wrapper script for use with the ipfwadm dotfile generator. It's not really tested heavily as I don't use that program.


If you have suggestions or questions, please email me at

I'm especially interested in even brief success or failure reports.


This program drew on the conversion table in Appendix A of the ipchains-HOWTO - Thanks, Rusty.

Other tools

Mason, the automatic firewall builder, Buildkernel, the automated tool for building Linux kernels.

Best viewed with something that can show web pages... <grin>