Am 30.11.2011 09:22, schrieb Peter Hallin: > Hello, > > I have some issues with pf.conf and includes that perhaps someone could > shed some light on. > > Where I work, we use bridging firewalls with multiple tagged vlans > passing the bridges, and filtering is done on the vlan interfaces. > Normally we have around 10-20 vlans on each machine, and we have a LOT > of rules in pf.conf. To make configuration a little easier I'm beginning > to look at how to separate the vlans into multiple configs, one for each > vlan, and then include them all from pf.conf. > > I would want to have all macros, options and rules for each vlan in a > separate file, but also i would like to use macros from one config in > rules in another file. To clarify what I'm getting at, here's an > example: > > ###### > > /etc/vlan500.conf: > > DB="192.168.0.10/32" > > block log on vlan500 > pass in quick on vlan500 from $Webserver to $DB port 3306 > pass out on vlan500 > > ###### > > /etc/vlan1000.conf: > > Webserver="192.168.1.20/32" > > block log on vlan1000 > pass in quick on vlan1000 from any to $Webserver port 80 > pass out on vlan1000 > > ###### > > /etc/pf.conf > > include "/etc/vlan500.conf" > include "/etc/vlan1000.conf" > > ###### > > The above example would not work, as pfctl will look at the rules in > vlan500.conf before looking at the macros in vlan1000.conf and it will > throw an error that the $Webserver macro is not defined. > > If I change the order of the includes in pf.conf, it will work, but of > course of I try to use macros from vlan1000.conf for rules in > vlan500.conf, the problem will arise again. > > One way to solve it would be to put all the macros in, say, > /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure > they are included before the rules in pf.conf, but that seems > inconvenient to me. > > What is the common practice for using includes? Is there a way to get > pfctl to read ALL macros from ALL files before looking at the rules? > > I would be happy to hear some suggestions. > > Thanks, Peter >
How about a definition.conf with all your (Name,IP-Adress)-Pairs which is included first in your pf.conf, so your vlanXXXX.confs only include the rules but no definitions. guido
