C. L. Martinez wrote:
> Hi all,
>
> Somebody knows where I can find a good shell script to sync pf.conf rules
> over a several Openbsd firewalls using CARP?
>
> many thanks.
yeah, on a few of my boxes here. :)
No, I'm not going to post the script, on the grounds that people would
probably be too likely to use my script without properly looking it
over, and put bluntly, my programming skills would make me a good Linux
or Windows programmer (i.e., "IT WORKS! SHIP IT! Someone else can fix
the problem later"). That's why I stick to the FAQ.
Anyway...
put your PF tables in their own directory, maybe "/etc/pf". This way,
as you add (or delete) "extra" files, you don't have to add them to your
script, just copy over the entire /etc/pf directory.
Your script should be "symmetrical", in that the EXACT SAME SCRIPT
should run on either machine. Why? Because you will make changes to
this script, and it will be one of the things you copy from machine to
machine. Either machine should be able to update the other, as you
don't get to chose which one will fail, and either machine should be
able to be used as a "source" to recreate the other.
When you run my script, it makes a "diff -u" of the new versions with
the old versions of a predefined list of files (in my case,
/etc/pf.conf, /etc/pf/*, /usr/local/bin/pfupdate) (guess where it gets
the old versions? RIGHT! The "other" server!), packages up these files
into a tar file, creates a diff, and drops the user into an editor,
where they can explain the change, much like CVS. This explanation and
the diff goes into a directory, /backup/changelog, on EACH server, with
a date-and-time-stamped file. This makes it easy to grep for changes,
find when a change was made and find out why it was made. If the
comments are not made, the change is aborted.
The script then loads the new pf.conf file in the other machine.
The /backup directory also stores a daily copy of a tgz file of the /etc
and /var directories. At the rate of "burn" on this, a 20G /backup
volume will last probably around 15 years. :) Yes this is on a second
disk on each machine, so again, both machines contain the complete
history of the system. But this really isn't a feature of the script to
sync the rule sets. BTW: that second disk holds a complete nightly
backup, and is ready to take over in the event of the failure of the
primary disk. I much prefer this system to RAID for "otherwise
redundant" systems
All the magic is done with ssh remote execution, scp, and other tools
already in the system, no packages need be installed (I like to keep my
systems lean). Pretty straight forward, really.
So..the way it is used is this:
make your changes (vi/emacs/mg/whatever) on a machine.
Install changes (pfctl -f ...)
Test changes
Unhappy? Go back to step 1.
When happy, run "pfupdate"
Review diff, make sure it is really what you wanted (this is a VERY
nice step, btw.)
If unhappy with diff, go abort edit, go back to step one.
Enter log message
ta-da!
If you decide you don't like those changes, you can easily go to the
"backup" system, and "pfupdate" them back to where they were before you
started.
If I see a nightly insecurity report from one firewall but not the
other, I know someone (i.e., me) forgot to sync the two after a change.
This is sometimes desirable, if you think the impact of an error is
greater than the likelihood of a system failure, delay your update
process.
I really like this system...I got change logs, backups, redundancy, easy
maintenance, in a nice, neat pair of boxes. Got a similar script and
config on our DNS servers, too.
Nick.
