On 07/11/2013 07:18 AM, Jummo wrote: > Hi, > > How do you manage your pf.conf? > > My setup: I have 9 firewalls with carp and each with around 500 lines of > pf.conf, except one firewall, later more. I edit the pf.conf manually. > Every logical pf rule has a unique identifier (a number) which I add > manually and maps to the rule on a wiki page. The wiki page has this > format. > > START WIKI PAGE > > === Firewall > > This firewall is for ... > > == ID > > A ID identify one or more rules for a particular service. Please use the > next free ID. > > Last used ID: 21 > > == Changelog > > No | Date | Action | Executed by > > == Tables > > Table | Content > > == NAT/Redirection > > ID | Description | Source | Port | Destination | Port | NAT-To | > Redirect-To | > Protocol | Date > > == Rules > > ID | Description | Direction (outgoing/incoming/forwarded) | Source | > Port | Destination | Port | Protocol | Date > > END WIKI PAGE > > I use a script to manually copy the changed pf.conf to the corresponding > carp partner to keep the firewall pair in sync. Idea: To check the sync > state of pf.conf, Icinga cloud compare the file date of the two pf.conf. > > This works quiet good for me and my firewalls with one exception, my big > fat central router/firewall. This firewall has around 2000 lines of > pf.conf, is attached with 12 VLAN interfaces and get slowly unmanageable > with this concept. > > How to you manage such big firewalls? Do you split the pf.conf into > logical parts? Do you use a base structure for every pf.conf? Do you use > a tool for automatic creation of pf.conf? How do you tests your old > rules after you changed something? > > I'm happy about any feedback. > > Best Regards, > Patrick > >
vim(1), git(1) and sh(1). I edit with Vim, then commit. Pre-commit hooks in git check the syntax with pfctl(1). Post-commit hooks push the commits to our central repo and trigger all hosts in the cluster to pull and apply the changes. A few status checks happen along the way to ensure things stay consistent-- mostly. The hooks are modular so the various stages may be run alone, if needed. Something similar could probably be done with rdist(1) or rsync(1). ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. NASA Space and Earth Science Data Analysis (606.9) 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A
