> > Does packet filter allow you to load external files? More > > specifically, could one place macro definitions in a separate file, but > > hook them up to pf.conf so as you reload the pf.conf file you get your > > macros? Thank you!
Quoting http://www.openbsd.org/faq/pf/anchors.html: The load rule causes pfctl to populate the specified anchor by reading rules from a text file. The load rule must be placed after the anchor rule. Example: anchor goodguys load anchor goodguys from "/etc/anchor-goodguys-ssh" To add rules to an anchor using pfctl, the following type of command can be used: # echo "pass in proto tcp from 192.0.2.3 to any port 22" \ | pfctl -a goodguys -f - > Another way is to use m4, make, or even a shell/perl script: > #!/bin/sh > TMP=`mktemp` > > for file in macros norm queue nat rules; do > cat /etc/pf/$file >> $TMP > done > > pfctl -nf $TMP && mv $TMP /etc/pf.conf Or you can pipe it directly, without creating a /tmp race: cat /etc/pf/* | pfctl -nf - I highly encourage you to script it... much more flexible. You can create rules programmatically. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
