From owner-freebsd-pf@FreeBSD.ORG Mon Mar 31 20:16:07 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 04F021065676 for ; Mon, 31 Mar 2008 20:16:07 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by mx1.freebsd.org (Postfix) with ESMTP id B629F8FC30 for ; Mon, 31 Mar 2008 20:16:06 +0000 (UTC) (envelope-from ranceh@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so157525ywt.13 for ; Mon, 31 Mar 2008 13:16:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=4SCnYgWwxiEsbi7pd1MOj/mviPH9nXM2SBmifZX3HZo=; b=kle1cnl+4qDzoPKoct9/YbFlyyf+mo1OzCKL7O/IVZwFJqyY/3NQ/e5FTR3k+kAju7SVa3vJPgCLU7NiQl9OLBNrUnni/eEGHyoOuox4+4R4+23XBKoW2KscD57gi4xuk9I0VB0aYgtIVkRKBUXI+8bp1Jlnfz06FHHABuTXEAM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uiLmQNQsF/rh8n66VSWdY40YehvG7m7Iukw90KiCfoLIvw00gOZ6we20+2W4ASLbfld7kz3NgkeX6pFlHrxapal6TmByxVuuezuS+zMETxIgBGfdNjjnnsDCMv4ceW+vAgK/y1VSuoW3WpN62dyUu4m1p1oBMOoSlcbwqixuaR0= Received: by 10.142.241.10 with SMTP id o10mr4245708wfh.155.1206994565354; Mon, 31 Mar 2008 13:16:05 -0700 (PDT) Received: by 10.142.194.10 with HTTP; Mon, 31 Mar 2008 13:16:05 -0700 (PDT) Message-ID: <845c0f80803311316k7a34bf5bq8b1638581a78e53@mail.gmail.com> Date: Mon, 31 Mar 2008 15:16:05 -0500 From: "Rance Hall" To: freebsd-pf@freebsd.org In-Reply-To: <1206992159.2108.23.camel@kensho.c7.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <845c0f80803311151y7fcd3e77r836a5026d76b5179@mail.gmail.com> <1206992159.2108.23.camel@kensho.c7.ca> Subject: Re: need help figuring out if pf is right for me. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2008 20:16:07 -0000 On 3/31/08, Elliott Perrin wrote: > On Mon, 2008-03-31 at 13:51 -0500, Rance Hall wrote: > > Ive been tasked with writing a firewall script for a client, and I'm > > looking at pf for the firewall. > > > > so far the only requirement I cant seem to find an example of how to > > do is to actually script the pf rules from a shell script. > > > > The project entails two pieces. A firewall script, and a config file > > which is parsed by the firewall script for values for variables. > > > > example: > > > > #!/bin/sh > > > > CONFIG_FILE=/path/to/config > > > > if [ -e $CONFIG_FILE ] ; then > > . $CONFIG_FILE > > else > > (fail miserably) > > fi > > > > pf macro based rules go here > > > > END > > > > Idea being that the same script can be used multiple places by just > > changing the config file, also that there is some job duty split > > between the setup of the firewall and the execution of the firewall. > > > > Can I do this with pf in a way that makes at least some sense? > > > > Thanks for your help > > > _______________________________________________ > > I am assuming what you are trying to do is have a base template and a > script that can modify said template with output redirected > to /etc/pf.conf. > > This is of course more than possible if planned out properly. With pf's > support for variable / macro / table definition in pf.conf it should be > pretty easy to come up with your template structure. At the end of the > day it really depends on what each firewall needs to do, but if you have > x firewalls all doing the exact same thing it shouldn't be a problem at > all. > > Cheers, > elliott@c7.ca > > I found this piece of documentation for freebsd-ipf in the handbook: #!/bin/sh # use ONE of the following: #cat > /etc/ipf.rules << EOF # or /sbin/ipf -Fa - << EOF rules go here EOF it looks like that the cat option is what you are thinking of. use a script that can recognize macros to create /etc/pf.conf but look at the other option, somehow feed the constructed rules into pfctl dynamically as they are "interpreted" im thinking I want the second choice of the two, but this is early planning stages, so if there is a reason to not do this thats fine.