It's an interesting question, but I don't fully understand what you want. pf.conf does not define a network, it defines a ruleset.
I wanted at one point in time to make a venn diagram which showed what packets were blocked and what packets passed, but stateful filtering has made this difficult. My goal was not to make it "more readable" (I find pf.conf fairly readable) but rather to show what you were doing in a new way so that errors would be more likely to be caught. Part of the problem is the high dimensionality of the data; you've got at least 5 dimensions (src port, src ip, dst port, dst ip, protocol)... and potentially many more. If you really want to draw network diagrams, a perl script that outputs stuff in dot format would be pretty easy to do, but may require tweaking for different conf files to make sure that the output fits on one page or screen, whatever your output format is. -- http://www.lightconsulting.com/~travis/ -><- Knight of the Lambda Calculus "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
