On Wed, Nov 30, 2011 at 9:22 AM, Peter Hallin <peter.hal...@ldc.lu.se> wrote:
> Hello,
>
> I have some issues with pf.conf and includes that perhaps someone could
> shed some light on.
>
> Where I work, we use bridging firewalls with multiple tagged vlans
> passing the bridges, and filtering is done on the vlan interfaces.
> Normally we have around 10-20 vlans on each machine, and we have a LOT
> of rules in pf.conf. To make configuration a little easier I'm beginning
> to look at how to separate the vlans into multiple configs, one for each
> vlan, and then include them all from pf.conf.
>
> I would want to have all macros, options and rules for each vlan in a
> separate file, but also i would like to use macros from one config in
> rules in another file. To clarify what I'm getting at, here's an
> example:
>
> ######
>
> /etc/vlan500.conf:
>
> DB="192.168.0.10/32"
>
> block log on vlan500
> pass in quick on vlan500 from $Webserver to $DB port 3306
> pass out on vlan500
>
> ######
>
> /etc/vlan1000.conf:
>
> Webserver="192.168.1.20/32"
>
> block log on vlan1000
> pass in quick on vlan1000 from any to $Webserver port 80
> pass out on vlan1000
>
> ######
>
> /etc/pf.conf
>
> include "/etc/vlan500.conf"
> include "/etc/vlan1000.conf"
>
> ######
>
> The above example would not work, as pfctl will look at the rules in
> vlan500.conf before looking at the macros in vlan1000.conf and it will
> throw an error that the $Webserver macro is not defined.
>
> If I change the order of the includes in pf.conf, it will work, but of
> course of I try to use macros from vlan1000.conf for rules in
> vlan500.conf, the problem will arise again.
>
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.
>
> What is the common practice for using includes? Is there a way to get
> pfctl to read ALL macros from ALL files before looking at the rules?
>
> I would be happy to hear some suggestions.
>
> Thanks, Peter
>
You could use a Makefile to concatenate a pf.conf from separate files.
This can give more flexibility than provided by "include" :
-----------------------------------------------------------------
$ cat vlan500
#macroes
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"
#macroes_end
# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500
$ cat vlan1000
#macroes
DB="192.168.0.10/32"
#macroes_end
# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000
$ cat Makefile
pf.conf: macroes_unique vlan500.conf vlan1000.conf
cat ${.ALLSRC} > ${.TARGET}
vlan1000.conf: vlan1000
sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC} > ${.TARGET}
vlan1000.mac: vlan1000
sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}
vlan500.conf: vlan500
sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC} > ${.TARGET}
vlan500.mac: vlan500
sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}
macroes_unique: vlan500.mac vlan1000.mac
echo "# Macro definitions" >${.TARGET}
sort -u ${.ALLSRC} | sed -e '/#macroes/d' >> ${.TARGET}
clean:
rm -f *.conf *.mac macroes_unique
$ make clean
rm -f *.conf *.mac macroes_unique
$ make
sed -ne '/#macroes/,/#macroes_end/p' vlan500 > vlan500.mac
sed -ne '/#macroes/,/#macroes_end/p' vlan1000 > vlan1000.mac
echo "# Macro definitions" >macroes_unique
sort -u vlan500.mac vlan1000.mac | sed -e '/#macroes/d' >> macroes_unique
sed -e '/#macroes/,/#macroes_end/d' vlan500 > vlan500.conf
sed -e '/#macroes/,/#macroes_end/d' vlan1000 > vlan1000.conf
cat macroes_unique vlan500.conf vlan1000.conf > pf.conf
$ cat pf.conf
# Macro definitions
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"
# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500
# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000
-----------------------------------------------
So the Makefile collects macroes defined in the vlan500 and vlan1000
files and after eliminating any duplicates, stuffs them into the
"macroes_unique" file.
The "vlan500" and "vlan1000", after stripping the macroes, become
"vlan500.conf" and "vlan1000.conf".
The "pf.conf" Makefile target then concatenates the "macroes_unique"
and the vlan*.conf files to the final pf.conf.
BTW http://www.freebsd.org/doc/en_US.ISO8859-1/books/pmake/index.html
has a nice HTML version of the BSD make documentation.
Adriaan
