Date: Mon, 31 Mar 2008 15:16:05 -0500 From: "Rance Hall" <ranceh@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: need help figuring out if pf is right for me. Message-ID: <845c0f80803311316k7a34bf5bq8b1638581a78e53@mail.gmail.com> In-Reply-To: <1206992159.2108.23.camel@kensho.c7.ca> References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> <1206992159.2108.23.camel@kensho.c7.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/31/08, Elliott Perrin <elliott@c7.ca> wrote: > On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote: > > Ive been tasked with writing a firewall script for a client, and I'm > > looking at pf for the firewall. > > > > so far the only requirement I cant seem to find an example of how to > > do is to actually script the pf rules from a shell script. > > > > The project entails two pieces. A firewall script, and a config file > > which is parsed by the firewall script for values for variables. > > > > example: > > > > #!/bin/sh > > > > CONFIG_FILE=/path/to/config > > > > if [ -e $CONFIG_FILE ] ; then > > . $CONFIG_FILE > > else > > (fail miserably) > > fi > > > > pf macro based rules go here > > > > END > > > > Idea being that the same script can be used multiple places by just > > changing the config file, also that there is some job duty split > > between the setup of the firewall and the execution of the firewall. > > > > Can I do this with pf in a way that makes at least some sense? > > > > Thanks for your help > > > _______________________________________________ > > I am assuming what you are trying to do is have a base template and a > script that can modify said template with output redirected > to /etc/pf.conf. > > This is of course more than possible if planned out properly. With pf's > support for variable / macro / table definition in pf.conf it should be > pretty easy to come up with your template structure. At the end of the > day it really depends on what each firewall needs to do, but if you have > x firewalls all doing the exact same thing it shouldn't be a problem at > all. > > Cheers, > elliott@c7.ca > > I found this piece of documentation for freebsd-ipf in the handbook: #!/bin/sh # use ONE of the following: #cat > /etc/ipf.rules << EOF # or /sbin/ipf -Fa - << EOF rules go here EOF it looks like that the cat option is what you are thinking of. use a script that can recognize macros to create /etc/pf.conf but look at the other option, somehow feed the constructed rules into pfctl dynamically as they are "interpreted" im thinking I want the second choice of the two, but this is early planning stages, so if there is a reason to not do this thats fine.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?845c0f80803311316k7a34bf5bq8b1638581a78e53>