On 01/02/06, Joerg Streckfuss <[EMAIL PROTECTED]> wrote:
>
> Hi list,
>
> i need some hints to manage a pf ruleset of about more than 150 rules.
>
> In my company we want to design a firewall-cluster with about
> 10 interfaces. We plan to use two dell 1850 with two DFE-580TX
> quad port NIC's.
> Each interface points to a separate subnet. The cluster should use carp
> for redundancy.
>
> The problem is to manage the hole ruleset in a comfortable way. One of
> my ideas is to put the ruleset of each subnet into an extra file and
> load it into pf with anchors. This will reduce the main ruleset
> extremely.
> The disadvantage is that all macros listed in the main ruleset have to
> be listed in the subnet ruleset too - this is a little bit error-prone.
> In my opinion bandwith managment with separate files is not an elegant
> way as well.
> Interface groups are not the solution, because the subnet rulesets are
> too different.
> At the end, i have to put all rules into a single file.
>
> So is there a better way to handle big rulesets?
Being able to manage large firewalls with pf (and others) is about ruleset
design.
Make a design where you know where the rule is(or should be) by just knowing
the rule.
Splitting it into multiple files will not help you much if the design to
start with is
inconsistent. I use external files to store the tables in so we can add
remove stuff like
syslog clients without poking around in the rules.
I have managed many boxes with lots of interfaces and rules, and I found pf
to be the easiest to work with once I understood how states actually were
handled
and could make a design for it. My vlan firewalls are a breeze to manage,
especially
with excellent tools like CVS/RCS.
/Tony
--
Tony Sarendal - [EMAIL PROTECTED]
IP/Unix
-= The scorpion replied,
"I couldn't help it, it's my nature" =-
