Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST), Jummo <[email protected]> a écrit :
> This works quiet good for me and my firewalls with one exception, my > big fat central router/firewall. This firewall has around 2000 lines > of pf.conf, is attached with 12 VLAN interfaces and get slowly > unmanageable with this concept. > > How to you manage such big firewalls? Do you split the pf.conf into > logical parts? Do you use a base structure for every pf.conf? Do you > use a tool for automatic creation of pf.conf? How do you tests your > old rules after you changed something? We have a large set of rules at work on several routers/firewalls and we use a tool 'list firewall (lsfw)' to help to manage the rules set. The goal is to display the rules applied between a source address and a destination, on several equipments, doing routing and firewalling. See: https://groupes.renater.fr/wiki/jtacl/index It has some other features, ip cross references by example which is cool to know where an address is used directly or indirectly (in table/group) or to extract the addresses from the configurations and to automate tests on them. That works fine at work (PF + cisco + checkpoint), but there are some limitations (see the doc...) My next step is a tool to managed security policies. I mean if someone asks to open a port, we should be able to track this policy (who, why, which rules are used) and to check it. This is work in (slow) progress. If someone already has such tool please let me know :) If you want more precisions ask me, this is a bit out of topic here. Regards.
