I wrote this little script to copy and reload rules on two firewalls. Thought
I'd share it here in case it is any use or I am missing something. ( My
money's on the latter :) ) it just needs a separate user with correct sudo
privileges to run certain commands.
It's very verbose just so I could see which bits were failing when I wrote it
(every time I write a shell script I forget how to do an "if").
Ashley
#####
#!/bin/sh
echo "Testing new rules..."
sudo pfctl -nf /etc/pf.conf
if [ $? -gt 0 ]
then
exit 1
fi
echo "New rules are valid. Flushing existing rules..."
sudo pfctl -F nat
sudo pfctl -F queue
sudo pfctl -F rules
echo "Loading new ruleset into pf..."
sudo pfctl -ANR -f /etc/pf.conf
# work out the name of the other firewall
case `hostname` in
firewall1.YOURDOMAIN)
TARGET_FIREWALL=firewall2
;;
firewall2.YOURDOMAIN)
TARGET_FIREWALL=firewall1
;;
*)
echo "Hostname for local server is set wrong"
exit 1
;;
esac
TEMP_PF_DIR=~/pf
sudo cp /etc/pf.conf $TEMP_PF_DIR/pf.conf.local
sudo chown administrator $TEMP_PF_DIR/pf.conf.local
echo
echo "Installing rules on paired firewall..."
echo "put $TEMP_PF_DIR/pf.conf.local pf/pf.conf" | sftp $TARGET_FIREWALL
ssh $TARGET_FIREWALL \
"echo \"Installing new pf.conf in /etc\";
sudo cp pf/pf.conf /etc;
echo "Flushing existing rules...";
sudo pfctl -F nat;
sudo pfctl -F queue;
sudo pfctl -F rules;
echo \"Loading new ruleset into pf...\";
sudo pfctl -ANR -f /etc/pf.conf;
echo \"Sync complete\";"
echo
echo "Done"
--
"If you do it the stupid way, you will have to do it again"
- Gregory Chudnovsky
