Re: Add a PF rule from the command line
Roy Morris wrote: I would like to be able to add/remove a rule from the command line on those systems which may have only a ram drive and or read only pf.conf. Anyone know how to do it, or would you need to create a new pf.conf in memory someplace and then load it? Thanks Roy Try describing your ruleset in memory using insert favorite scripting language constructs. From that meta-data you could create the actual ruleset in a syntax that pf understands. pfctl -s all | your_script -read # add /remove rules # add /remove rules # add /remove rules ... ... your_script -write | pfctl -F all -f - Since order matters, you would need to recreate the entire ruleset from your meta-data every time a rule was added/deleted then reload it using pfctl Not exactly a simple solution but the only one my sleep-deprived brain came up at the moment. Check out man pages for pfctl, etc... They might inspire an easier solution -Keith
Re: Add a PF rule from the command line
Keith Richardson wrote: Roy Morris wrote: I would like to be able to add/remove a rule from the command line on those systems which may have only a ram drive and or read only pf.conf. Anyone know how to do it, or would you need to create a new pf.conf in memory someplace and then load it? Thanks Roy Try describing your ruleset in memory using insert favorite scripting language constructs. From that meta-data you could create the actual ruleset in a syntax that pf understands. pfctl -s all | your_script -read # add /remove rules # add /remove rules # add /remove rules ... ... your_script -write | pfctl -F all -f - Since order matters, you would need to recreate the entire ruleset from your meta-data every time a rule was added/deleted then reload it using pfctl Not exactly a simple solution but the only one my sleep-deprived brain came up at the moment. Check out man pages for pfctl, etc... They might inspire an easier solution -Keith Yea, to me it seems easy/best/less time consuming to simply cat /etc/readonly.pf.conf /ramdrive/pf.new.conf vi /ramdrive/pf.new.conf pfctl -F all -f /ramdrive/pf.new.conf then in the required rule in the next version of the cdboot. In my case rules change seldom, so it's not that big a deal. Maybe what I need is to use a flash drive to hold /etc/ ... seems logical. Cheers Rm
Re: Add a PF rule from the command line
On Sun, 09 Oct 2005 14:59:36 -0400 Roy Morris [EMAIL PROTECTED] wrote: I would like to be able to add/remove a rule from the command line on those systems which may have only a ram drive and or read only pf.conf. Anyone know how to do it, or would you need to create a new pf.conf in memory someplace and then load it? It's not like iptables where you can load rules at the CLI. The best you can hope for is to look at all your rules with a set of parameters and attempt to make a structure that resembles any type of rule. Then read your pf.conf into the array of structures and then re-write that array as a new pf.conf. If you do the job very well you can use those structures write the rules out in many different formats and perhaps have yourself a firewall builder. Perhaps you could look at some existing firewall builders and sculpt them into something that suits your requirements. Let us know how you get on, I think the two previous answers are workable for what you are trying to do. You could, if the rules are just pass/block, use a table, which you can access from the command line. -- Regards, Ed http://www.usenix.org.uk
Add a PF rule from the command line
I would like to be able to add/remove a rule from the command line on those systems which may have only a ram drive and or read only pf.conf. Anyone know how to do it, or would you need to create a new pf.conf in memory someplace and then load it? Thanks Roy
Re: Add a PF rule from the command line
Roy Morris wrote:
I would like to be able to add/remove a rule from
the command line on those systems which
may have only a ram drive and or read only
pf.conf. Anyone know how to do it, or would
you need to create a new pf.conf in memory
someplace and then load it?
Maybe using anchors is the way to go?
Otherwise you can load rules from stdin, so maybe something like
{ grep -v 'regexp that matches rule(s) to remove' /etc/pf.conf; \
echo Rules to add\nAnother rule to add; } | pfctl -ef -
would work?
/Alexander
