Hello, I have some issues with pf.conf and includes that perhaps someone could shed some light on.
Where I work, we use bridging firewalls with multiple tagged vlans passing the bridges, and filtering is done on the vlan interfaces. Normally we have around 10-20 vlans on each machine, and we have a LOT of rules in pf.conf. To make configuration a little easier I'm beginning to look at how to separate the vlans into multiple configs, one for each vlan, and then include them all from pf.conf. I would want to have all macros, options and rules for each vlan in a separate file, but also i would like to use macros from one config in rules in another file. To clarify what I'm getting at, here's an example: ###### /etc/vlan500.conf: DB="192.168.0.10/32" block log on vlan500 pass in quick on vlan500 from $Webserver to $DB port 3306 pass out on vlan500 ###### /etc/vlan1000.conf: Webserver="192.168.1.20/32" block log on vlan1000 pass in quick on vlan1000 from any to $Webserver port 80 pass out on vlan1000 ###### /etc/pf.conf include "/etc/vlan500.conf" include "/etc/vlan1000.conf" ###### The above example would not work, as pfctl will look at the rules in vlan500.conf before looking at the macros in vlan1000.conf and it will throw an error that the $Webserver macro is not defined. If I change the order of the includes in pf.conf, it will work, but of course of I try to use macros from vlan1000.conf for rules in vlan500.conf, the problem will arise again. One way to solve it would be to put all the macros in, say, /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure they are included before the rules in pf.conf, but that seems inconvenient to me. What is the common practice for using includes? Is there a way to get pfctl to read ALL macros from ALL files before looking at the rules? I would be happy to hear some suggestions. Thanks, Peter
