2013/7/11, Jummo <[email protected]>: > Hi, > > How do you manage your pf.conf? > > My setup: I have 9 firewalls with carp and each with around 500 lines of > pf.conf, except one firewall, later more. I edit the pf.conf manually. > Every logical pf rule has a unique identifier (a number) which I add > manually and maps to the rule on a wiki page. The wiki page has this > format. >
We have more obsd FWs than that at work, and we keep the rules in subversion, and have cronjobs to frequently checkout and test the latest version from the repo, and apply if the syntax is ok. Using includes (and the svn "softlink" svn:externals) makes it easy to have global defines for macros and tables that all fws should have, then the local pf.conf can have the correct interface names and the specific rules that applies to them. At the former work, we had more or less the same, except with RCS in AFS, but still with includes (both top-of-file includes for macros and end-of-file includes for exceptions. The main methods were basically the same, generalize as much as possible with include files, keep all files versioned (along with other /etc files perhaps) to make re-installing a single fw node easy. -- May the most significant bit of your life be positive.
