From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 20:04:49 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 539331065670 for ; Mon, 31 Mar 2008 20:04:49 +0000 (UTC) (envelope-from elliott@c7.ca) Received: from mail.c7.ca (mail.c7.ca [66.207.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id E946F8FC13 for ; Mon, 31 Mar 2008 20:04:48 +0000 (UTC) (envelope-from elliott@c7.ca) Received: (qmail 596 invoked by uid 89); 31 Mar 2008 19:38:07 -0000 Received: by simscan 1.2.0 ppid: 590, pid: 592, t: 0.0913s scanners: clamav: 0.90.1/m:43 Received: from unknown (HELO ?66.207.210.10?) (elliott@c7.ca@66.207.210.10) by 10.1.1.32 with ESMTPA; 31 Mar 2008 19:38:07 -0000 From: Elliott Perrin To: Rance Hall In-Reply-To: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> Content-Type: text/plain Date: Mon, 31 Mar 2008 15:35:59 -0400 Message-Id: <1206992159.2108.23.camel@kensho.c7.ca> Mime-Version: 1.0 X-Mailer: Evolution 2.22.0 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: elliott@c7.ca List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 20:04:49 -0000 On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote: > Ive been tasked with writing a firewall script for a client, and I'm > looking at pf for the firewall. > > so far the only requirement I cant seem to find an example of how to > do is to actually script the pf rules from a shell script. > > The project entails two pieces. A firewall script, and a config file > which is parsed by the firewall script for values for variables. > > example: > > #!/bin/sh > > CONFIG_FILE=/path/to/config > > if [ -e $CONFIG_FILE ] ; then > . $CONFIG_FILE > else > (fail miserably) > fi > > pf macro based rules go here > > END > > Idea being that the same script can be used multiple places by just > changing the config file, also that there is some job duty split > between the setup of the firewall and the execution of the firewall. > > Can I do this with pf in a way that makes at least some sense? > > Thanks for your help > _______________________________________________ I am assuming what you are trying to do is have a base template and a script that can modify said template with output redirected to /etc/pf.conf. This is of course more than possible if planned out properly. With pf's support for variable / macro / table definition in pf.conf it should be pretty easy to come up with your template structure. At the end of the day it really depends on what each firewall needs to do, but if you have x firewalls all doing the exact same thing it shouldn't be a problem at all. Cheers, elliott@c7.ca