On Thu, Jul 11, 2013 at 8:51 PM, Patrick Lamaiziere <patf...@davenulle.org> wrote: > Le Thu, 11 Jul 2013 13:18:13 +0200 (CEST), > Jummo <jum...@yahoo.de> a écrit : > >> This works quiet good for me and my firewalls with one exception, my >> big fat central router/firewall. This firewall has around 2000 lines >> of pf.conf, is attached with 12 VLAN interfaces and get slowly >> unmanageable with this concept. >> >> How to you manage such big firewalls? Do you split the pf.conf into >> logical parts? Do you use a base structure for every pf.conf? Do you >> use a tool for automatic creation of pf.conf? How do you tests your >> old rules after you changed something? > > We have a large set of rules at work on several routers/firewalls and we > use a tool 'list firewall (lsfw)' to help to manage the rules set. The > goal is to display the rules applied between a source address and a > destination, on several equipments, doing routing and firewalling. > See: https://groupes.renater.fr/wiki/jtacl/index > > It has some other features, ip cross references by example which is > cool to know where an address is used directly or indirectly (in > table/group) or to extract the addresses from the configurations and to > automate tests on them. > > That works fine at work (PF + cisco + checkpoint), but there are some > limitations (see the doc...) > > My next step is a tool to managed security policies. I mean if someone > asks to open a port, we should be able to track this policy (who, why, > which rules are used) and to check it. This is work in (slow) progress. > If someone already has such tool please let me know :) > > If you want more precisions ask me, this is a bit out of topic here. > > Regards. >
A really, really interesting topic. I have the same problem with my CARP firewalls (20 in total), but I think the best option is the one that says Andy: fast, reliable and "secure" (if you know what are you doing) ... Andy, do you use the firewall module that comes with puppet to accomplish this task??