Hi list, i need some hints to manage a pf ruleset of about more than 150 rules.
In my company we want to design a firewall-cluster with about 10 interfaces. We plan to use two dell 1850 with two DFE-580TX quad port NIC's. Each interface points to a separate subnet. The cluster should use carp for redundancy. The problem is to manage the hole ruleset in a comfortable way. One of my ideas is to put the ruleset of each subnet into an extra file and load it into pf with anchors. This will reduce the main ruleset extremely. The disadvantage is that all macros listed in the main ruleset have to be listed in the subnet ruleset too - this is a little bit error-prone. In my opinion bandwith managment with separate files is not an elegant way as well. Interface groups are not the solution, because the subnet rulesets are too different. At the end, i have to put all rules into a single file. So is there a better way to handle big rulesets? Cheers Joerg. -- Joerg Streckfuss, DFN-CERT Services GmbH PGP RSA/2048, E0D4BD3F, 90 C3 FB 4A CB D3 20 70 6B 04 47 84 B5 3C 28 8C [demime 1.01d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]
