need help figuring out if pf is right for me.

Rance Hall ranceh at gmail.com
Mon Mar 31 13:16:07 PDT 2008


On 3/31/08, Elliott Perrin <elliott at c7.ca> wrote:
> On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote:
>  > Ive been tasked with writing a firewall script for a client, and I'm
>  > looking at pf for the firewall.
>  >
>  > so far the only requirement I cant seem to find an example of how to
>  > do is to actually script the pf rules from a shell script.
>  >
>  > The project entails two pieces.  A firewall script, and a config file
>  > which is parsed by the firewall script for values for variables.
>  >
>  > example:
>  >
>  > #!/bin/sh
>  >
>  > CONFIG_FILE=/path/to/config
>  >
>  > if [ -e $CONFIG_FILE ] ; then
>  >   . $CONFIG_FILE
>  > else
>  >    (fail miserably)
>  > fi
>  >
>  > pf macro based rules go here
>  >
>  > END
>  >
>  > Idea being that the same script can be used multiple places by just
>  > changing the config file, also that there is some job duty split
>  > between the setup of the firewall and the execution of the firewall.
>  >
>  > Can I do this with pf in a way that makes at least some sense?
>  >
>  > Thanks for your help
>
> > _______________________________________________
>
>  I am assuming what you are trying to do is have a base template and a
>  script that can modify said template with output redirected
>  to /etc/pf.conf.
>
>  This is of course more than possible if planned out properly. With pf's
>  support for variable / macro / table definition in pf.conf it should be
>  pretty easy to come up with your template structure. At the end of the
>  day it really depends on what each firewall needs to do, but if you have
>  x firewalls all doing the exact same thing it shouldn't be a problem at
>  all.
>
>  Cheers,
>  elliott at c7.ca
>
>


I found this piece of documentation for freebsd-ipf in the handbook:

#!/bin/sh

# use ONE of the following:
#cat > /etc/ipf.rules << EOF
# or
/sbin/ipf -Fa - << EOF

rules go here

EOF

it looks like that the cat option is what you are thinking of.  use a
script that can recognize macros to create /etc/pf.conf

but look at the other option, somehow feed the constructed rules into
pfctl dynamically as they are "interpreted"

im thinking I want the second choice of the two, but this is early
planning stages, so if there is a reason to not do this thats fine.


More information about the freebsd-pf mailing list