Hi,
How do you manage your pf.conf?
My setup: I have 9 firewalls with carp and each with around 500 lines of
pf.conf, except one firewall, later more. I edit the pf.conf manually.
Every logical pf rule has a unique identifier (a number) which I add
manually and maps to the rule on a wiki page. The wiki page has this
format.
START WIKI PAGE
=== Firewall
This firewall is for ...
== ID
A ID identify one or more rules for a particular service. Please use the
next free ID.
Last used ID: 21
== Changelog
No | Date | Action | Executed by
== Tables
Table | Content
== NAT/Redirection
ID | Description | Source | Port | Destination | Port | NAT-To | Redirect-To |
Protocol | Date
== Rules
ID | Description | Direction (outgoing/incoming/forwarded) | Source |
Port | Destination | Port | Protocol | Date
END WIKI PAGE
I use a script to manually copy the changed pf.conf to the corresponding
carp partner to keep the firewall pair in sync. Idea: To check the sync
state of pf.conf, Icinga cloud compare the file date of the two pf.conf.
This works quiet good for me and my firewalls with one exception, my big
fat central router/firewall. This firewall has around 2000 lines of
pf.conf, is attached with 12 VLAN interfaces and get slowly unmanageable
with this concept.
How to you manage such big firewalls? Do you split the pf.conf into
logical parts? Do you use a base structure for every pf.conf? Do you use a
tool for automatic creation of pf.conf? How do you tests your old rules
after you changed something?
I'm happy about any feedback.
Best Regards,
Patrick
