On Wed, Feb 01, 2006 at 12:28:33PM +0100, Joerg Streckfuss wrote:
> Hi list,
>
> i need some hints to manage a pf ruleset of about more than 150 rules.
>
> In my company we want to design a firewall-cluster with about
> 10 interfaces. We plan to use two dell 1850 with two DFE-580TX
> quad port NIC's.
> Each interface points to a separate subnet. The cluster should use carp
> for redundancy.
>
> The problem is to manage the hole ruleset in a comfortable way. One of
> my ideas is to put the ruleset of each subnet into an extra file and
> load it into pf with anchors. This will reduce the main ruleset
> extremely.
> The disadvantage is that all macros listed in the main ruleset have to
> be listed in the subnet ruleset too - this is a little bit error-prone.
> In my opinion bandwith managment with separate files is not an elegant
> way as well.
> Interface groups are not the solution, because the subnet rulesets are
> too different.
> At the end, i have to put all rules into a single file.
>
> So is there a better way to handle big rulesets?
>From what I hear, you'd be pretty happy with the following Makefile:
.PHONY: all
PF_OBJS=/etc/pf.d/hosts /etc/pf.d/server_rules /etc/pf.d/client_rules \
/etc/pf.d/bandwidth
all: /etc/pf.conf
/etc/pf.conf: $(PF_OBJS)
umask 077 && cat $(PF_OBJS) > /etc/pf.conf.new
mv /etc/pf.conf.new /etc/pf.conf
Makefiles are very useful for system administration. I always have a
couple lying around in strategic places.
For an even more convenient solution, put this in a distfile (see
rdist(1)):
# Please note the Makefile is under /etc/pf.d!
F_PF = ( /etc/pf.d )
H_PF = ( [EMAIL PROTECTED] [EMAIL PROTECTED] )
update-fws: ${F_PF} -> ${H_PF}
install -o younger,remove / ;
cmdspecial "cd /etc/pf.d && make" ;
The only real disadvantage is the required root access. It can be
curtailed a bit, but not much - rdist requires write access to quite a
few critical files, usually.
Joachim
