pf and includes

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

pf and includes

Peter Hallin
Hello,

I have some issues with pf.conf and includes that perhaps someone could
shed some light on.

Where I work, we use bridging firewalls with multiple tagged vlans
passing the bridges, and filtering is done on the vlan interfaces.
Normally we have around 10-20 vlans on each machine, and we have a LOT
of rules in pf.conf. To make configuration a little easier I'm beginning
to look at how to separate the vlans into multiple configs, one for each
vlan, and then include them all from pf.conf.

I would want to have all macros, options and rules for each vlan in a
separate file, but also i would like to use macros from one config in
rules in another file. To clarify what I'm getting at, here's an
example:

######

/etc/vlan500.conf:

DB="192.168.0.10/32"

block log on vlan500
pass in quick on vlan500 from $Webserver to $DB port 3306
pass out on vlan500

######

/etc/vlan1000.conf:

Webserver="192.168.1.20/32"

block log on vlan1000
pass in quick on vlan1000 from any to $Webserver port 80
pass out on vlan1000

######

/etc/pf.conf

include "/etc/vlan500.conf"
include "/etc/vlan1000.conf"

######

The above example would not work, as pfctl will look at the rules in
vlan500.conf before looking at the macros in vlan1000.conf and it will
throw an error that the $Webserver macro is not defined.

If I change the order of the includes in pf.conf, it will work, but of
course of I try to use macros from vlan1000.conf for rules in
vlan500.conf, the problem will arise again.

One way to solve it would be to put all the macros in, say,
/etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
they are included before the rules in pf.conf, but that seems
inconvenient to me.

What is the common practice for using includes? Is there a way to get
pfctl to read ALL macros from ALL files before looking at the rules?

I would be happy to hear some suggestions.

Thanks, Peter

Reply | Threaded
Open this post in threaded view
|

Re: pf and includes

quartz-2
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.

that might be your best option. you can use something like pfctl to parse
rules without loading them, but I don't think the reverse is possible.

you're probably not this lucky, but assuming all your macros are just
name/ip pairs like in the example, you might be able to get away with
storing them all in /etc/hosts or setting up a dns forwarder.

Reply | Threaded
Open this post in threaded view
|

Re: pf and includes

Guido Tschakert
In reply to this post by Peter Hallin
Am 30.11.2011 09:22, schrieb Peter Hallin:

> Hello,
>
> I have some issues with pf.conf and includes that perhaps someone could
> shed some light on.
>
> Where I work, we use bridging firewalls with multiple tagged vlans
> passing the bridges, and filtering is done on the vlan interfaces.
> Normally we have around 10-20 vlans on each machine, and we have a LOT
> of rules in pf.conf. To make configuration a little easier I'm beginning
> to look at how to separate the vlans into multiple configs, one for each
> vlan, and then include them all from pf.conf.
>
> I would want to have all macros, options and rules for each vlan in a
> separate file, but also i would like to use macros from one config in
> rules in another file. To clarify what I'm getting at, here's an
> example:
>
> ######
>
> /etc/vlan500.conf:
>
> DB="192.168.0.10/32"
>
> block log on vlan500
> pass in quick on vlan500 from $Webserver to $DB port 3306
> pass out on vlan500
>
> ######
>
> /etc/vlan1000.conf:
>
> Webserver="192.168.1.20/32"
>
> block log on vlan1000
> pass in quick on vlan1000 from any to $Webserver port 80
> pass out on vlan1000
>
> ######
>
> /etc/pf.conf
>
> include "/etc/vlan500.conf"
> include "/etc/vlan1000.conf"
>
> ######
>
> The above example would not work, as pfctl will look at the rules in
> vlan500.conf before looking at the macros in vlan1000.conf and it will
> throw an error that the $Webserver macro is not defined.
>
> If I change the order of the includes in pf.conf, it will work, but of
> course of I try to use macros from vlan1000.conf for rules in
> vlan500.conf, the problem will arise again.
>
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.
>
> What is the common practice for using includes? Is there a way to get
> pfctl to read ALL macros from ALL files before looking at the rules?
>
> I would be happy to hear some suggestions.
>
> Thanks, Peter
>

How about a definition.conf with all your (Name,IP-Adress)-Pairs which
is included first in your pf.conf, so your vlanXXXX.confs only include
the rules but no definitions.

guido

Reply | Threaded
Open this post in threaded view
|

Re: pf and includes

Adriaan Misc
In reply to this post by Peter Hallin
On Wed, Nov 30, 2011 at 9:22 AM, Peter Hallin <[hidden email]> wrote:

> Hello,
>
> I have some issues with pf.conf and includes that perhaps someone could
> shed some light on.
>
> Where I work, we use bridging firewalls with multiple tagged vlans
> passing the bridges, and filtering is done on the vlan interfaces.
> Normally we have around 10-20 vlans on each machine, and we have a LOT
> of rules in pf.conf. To make configuration a little easier I'm beginning
> to look at how to separate the vlans into multiple configs, one for each
> vlan, and then include them all from pf.conf.
>
> I would want to have all macros, options and rules for each vlan in a
> separate file, but also i would like to use macros from one config in
> rules in another file. To clarify what I'm getting at, here's an
> example:
>
> ######
>
> /etc/vlan500.conf:
>
> DB="192.168.0.10/32"
>
> block log on vlan500
> pass in quick on vlan500 from $Webserver to $DB port 3306
> pass out on vlan500
>
> ######
>
> /etc/vlan1000.conf:
>
> Webserver="192.168.1.20/32"
>
> block log on vlan1000
> pass in quick on vlan1000 from any to $Webserver port 80
> pass out on vlan1000
>
> ######
>
> /etc/pf.conf
>
> include "/etc/vlan500.conf"
> include "/etc/vlan1000.conf"
>
> ######
>
> The above example would not work, as pfctl will look at the rules in
> vlan500.conf before looking at the macros in vlan1000.conf and it will
> throw an error that the $Webserver macro is not defined.
>
> If I change the order of the includes in pf.conf, it will work, but of
> course of I try to use macros from vlan1000.conf for rules in
> vlan500.conf, the problem will arise again.
>
> One way to solve it would be to put all the macros in, say,
> /etc/vlan500-macros.conf and /etc/vlan1000-macros.conf and make sure
> they are included before the rules in pf.conf, but that seems
> inconvenient to me.
>
> What is the common practice for using includes? Is there a way to get
> pfctl to read ALL macros from ALL files before looking at the rules?
>
> I would be happy to hear some suggestions.
>
> Thanks, Peter
>

You could use a Makefile to concatenate a pf.conf from separate files.
This can give more flexibility than provided by "include" :
-----------------------------------------------------------------

$ cat vlan500

#macroes
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"
#macroes_end

# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500

$ cat vlan1000

#macroes
DB="192.168.0.10/32"
#macroes_end

# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000

$ cat Makefile

pf.conf: macroes_unique vlan500.conf vlan1000.conf
        cat ${.ALLSRC} > ${.TARGET}

vlan1000.conf:  vlan1000
        sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC}  > ${.TARGET}

vlan1000.mac: vlan1000
        sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}

vlan500.conf:  vlan500
        sed -e '/#macroes/,/#macroes_end/d' ${.ALLSRC}  > ${.TARGET}

vlan500.mac: vlan500
        sed -ne '/#macroes/,/#macroes_end/p' ${.ALLSRC} > ${.TARGET}

macroes_unique: vlan500.mac vlan1000.mac
        echo "# Macro definitions" >${.TARGET}
        sort -u ${.ALLSRC} | sed -e '/#macroes/d' >> ${.TARGET}

clean:
        rm -f *.conf *.mac macroes_unique


$ make clean
rm -f *.conf *.mac macroes_unique

$ make
sed -ne '/#macroes/,/#macroes_end/p' vlan500 > vlan500.mac
sed -ne '/#macroes/,/#macroes_end/p' vlan1000 > vlan1000.mac
echo "# Macro definitions" >macroes_unique
sort -u vlan500.mac vlan1000.mac | sed -e '/#macroes/d' >> macroes_unique
sed -e '/#macroes/,/#macroes_end/d' vlan500  > vlan500.conf
sed -e '/#macroes/,/#macroes_end/d' vlan1000  > vlan1000.conf
cat macroes_unique vlan500.conf vlan1000.conf > pf.conf

$ cat pf.conf

# Macro definitions
DB="192.168.0.10/32"
Webserver="192.168.1.20/32"

# --- vlan500
block log on vlan500
pass in quick on vlan500 inet proto tcp from $Webserver to $DB port 3306
pass out on vlan500

# --- vlan1000
block log on vlan1000
pass in quick on vlan1000 inet proto tcp from any to $Webserver port 80
pass out on vlan1000

-----------------------------------------------
So the Makefile collects macroes defined in the vlan500 and vlan1000
files  and after eliminating any duplicates, stuffs them into the
"macroes_unique" file.

The "vlan500" and "vlan1000", after stripping the macroes, become
"vlan500.conf" and "vlan1000.conf".
The  "pf.conf" Makefile target then concatenates the "macroes_unique"
and the vlan*.conf files to the final pf.conf.

BTW http://www.freebsd.org/doc/en_US.ISO8859-1/books/pmake/index.html
has a nice HTML version of the BSD make documentation.

Adriaan

Reply | Threaded
Open this post in threaded view
|

Re: pf and includes

Peter Hallin
In reply to this post by Guido Tschakert
On 2011-11-30 16:14, Guido Tschakert wrote:
>
> How about a definition.conf with all your (Name,IP-Adress)-Pairs which
> is included first in your pf.conf, so your vlanXXXX.confs only include
> the rules but no definitions.
>
> guido
>

Thanks, this is probably the way to do it. Sometimes we move vlans
between firewalls and then it can be good to remove the rules, but still
keep some macros.

I'm also planning to have the same set of variables on all 10 firewalls
so that the only difference between them will be the rules files.

//Peter

Reply | Threaded
Open this post in threaded view
|

Re: pf and includes

Peter Hallin
In reply to this post by Adriaan Misc
On 2011-11-30 20:20, Adriaan wrote:
>
> You could use a Makefile to concatenate a pf.conf from separate files.
> This can give more flexibility than provided by "include" :

Thank you very much for your elaborate solution.

To keep things a little less complex, I will probably go with includes
and keep all the macros and tables in one big file shared on all
firewalls.

//Peter