[146390] in North American Network Operators' Group
Re: Firewalls - Ease of Use and Maintenance?
daemon@ATHENA.MIT.EDU (Jonathan Lassoff)
Thu Nov 10 11:30:55 2011
In-Reply-To: <4EBAE62E.5090706@foobar.org>
Date: Thu, 10 Nov 2011 08:30:46 -0800
From: Jonathan Lassoff <jof@thejof.com>
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 9, 2011 at 12:44 PM, Nick Hilliard <nick@foobar.org> wrote:
> On 09/11/2011 19:07, C. Jon Larsen wrote:
>>
>> put the main portion of the conf in subversion as an include file and
>> factor out local differences in the configs with macros that are defined
>> in
>> pf.conf
>>
>> Easy.
>
> As I said, it's not a pf problem. =A0Commercial firewalls will do all thi=
s
> sort of thing off the shelf. =A0It's a pain to have to write scripts to d=
o
> this manually.
Agreed. This is rather a pain to have to do manually each time (either
scp'ing or scripting). It's unfortunate that there's not a
conventional script or mechanism for doing this.
I have plenty of scripts from past commercial work that do this, but
they're sadly tied up license-wise.
I've had good luck, pf-wise, with creating a ruleset that is just
identical between hosts. By keeping the interface naming/numbering
scheme consistent across two hosts, the same configuration can just
"work" on both.
Cheers,
jof
