need help figuring out if pf is right for me.

Elliott Perrin elliott at c7.ca
Mon Mar 31 13:04:49 PDT 2008


On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote:
> Ive been tasked with writing a firewall script for a client, and I'm
> looking at pf for the firewall.
> 
> so far the only requirement I cant seem to find an example of how to
> do is to actually script the pf rules from a shell script.
> 
> The project entails two pieces.  A firewall script, and a config file
> which is parsed by the firewall script for values for variables.
> 
> example:
> 
> #!/bin/sh
> 
> CONFIG_FILE=/path/to/config
> 
> if [ -e $CONFIG_FILE ] ; then
>   . $CONFIG_FILE
> else
>    (fail miserably)
> fi
> 
> pf macro based rules go here
> 
> END
> 
> Idea being that the same script can be used multiple places by just
> changing the config file, also that there is some job duty split
> between the setup of the firewall and the execution of the firewall.
> 
> Can I do this with pf in a way that makes at least some sense?
> 
> Thanks for your help
> _______________________________________________

I am assuming what you are trying to do is have a base template and a
script that can modify said template with output redirected
to /etc/pf.conf. 

This is of course more than possible if planned out properly. With pf's
support for variable / macro / table definition in pf.conf it should be
pretty easy to come up with your template structure. At the end of the
day it really depends on what each firewall needs to do, but if you have
x firewalls all doing the exact same thing it shouldn't be a problem at
all. 

Cheers,
elliott at c7.ca



More information about the freebsd-pf mailing list