Kian Mohageri wrote:
Hello,
I was just curious if any of you sync pf tables between hosts, and how you
do it. I know it may be considered abusing tables, but in our setup, we
hold a list of registered clients within tables (which are updated
dynamically by scripts). We also use carp (and soon pfsync) for failover.
Obviously both hosts need to have the same addresses in their tables for
this to work well, so the script runs on both hosts...which is fine I
suppose, and cleaner than scp'ing the list from one to the other.
But I was curious how other people handle this issue. So, how do you guys
sync your tables?
What's wrong with scp? :)
We use a little script I tossed together which when run prepares a "diff
-u" of /etc/pf.conf, and everything in /etc/pf/ (which is where we stick
our tables) with the corresponding files on the "other" machine. It
displays the diff to the user in vi, the user then explains the changes,
and saves it. If the save is made (as opposed to abandoning the edit),
the files are scp'd to the remote machine, the diff and explainations is
saved with a date and time stamped file name to a changelog directory,
and that file is also copied to the remote machine (along with this
script, as I figured I'd be making a fair number of changes to it to get
it right!).
The script is "symetrical", in that it can be run from either machine
unaltered to update the other. We use it to sync the tables and pf.conf
on the firewalls, but we have similar scripts on the DNS servers, etc.
On CARP'd machines, it can be kinda handy, make a quick change on the
primary, test it, if it works, run the script. If it doesn't, you can
easily revert it by simply running the script on the standby machine.
Nick.
