Here is one script i have done, you must setup ssh key authentication between
root from fw1 to fw2 and fw1 to fw1. and must install bash.
I use my CARP + PFSYNC OpenBSD as my gateway+firewall+reverse apache proxy+dns
server. I have scripts for apache syncronization and for dns server
syncronization.
Best Regards,
----------------------------------------------------------------------
#!/usr/local/bin/bash
# Editpf.sh by Leonardo Rodrigues de Mello Copyright 2006
# [EMAIL PROTECTED]
# Licensed under the terms of GNU GPL version 2.
# FW1 is the master firewall,
# from whom firewall 02 syncronize it configuration.
# Any Edit or Change must be done in FW1
#Hostname of Firewall 01,
FW1="fw1"
#Hostname of Firewall 02
FW2="fw2"
#Making backup of Pf.conf
cp /etc/pf.conf /etc/pf.conf.orig
#Lets edit the pf.conf in the master firewall
echo "Editing PF.conf in $FW1"
sleep 1
vi /etc/pf.conf
#Get Date to archive changes
date=`date +%y-%m-%d-%H-%M`
#Checking if the syntax of the changes are ok
if pfctl -f /etc/pf.conf
then
echo "The syntax of the file apears to be ok"
sleep 1
else
echo "The syntax of the file appears to have error"
echo "Restoring old configuration file"
cp /etc/pf.conf.orig /etc/pf.conf
echo "exiting with ERROR"
exit 1
fi
#Checking Diferences Between the Two Firewalls Configuration Files
echo "Checking Diferences Between pf.conf in $FW2 and $FW1"
sleep 1
diff -u <(ssh [EMAIL PROTECTED] 'cat /etc/pf.conf') <(ssh [EMAIL PROTECTED] 'cat
/etc/pf.conf') > /var/log/mudancas/2.0/$date.pf.conf
less /var/log/mudancas/2.0/$date.pf.conf
#Giving the user the chance to abort the changes
echo "Can i propagate the changes in pf.conf between the TWO FIREWALLS?(Y/N)"
read anwser
if [ $anwser = "Y" ] || [ $anwser = "y" ]
then
echo "Propagating the Changes"
sleep 1
scp /etc/pf.conf [EMAIL PROTECTED]:/etc/pf.conf
echo "Checking if the changes were sucessfully done"
sleep 1
if diff -u <(ssh [EMAIL PROTECTED] 'cat /etc/pf.conf') <(ssh [EMAIL
PROTECTED] 'cat
/etc/pf.conf') && pfctl -f /etc/pf.conf && ssh [EMAIL PROTECTED] 'pfctl -f
/etc/pf.conf'
then
echo "Rulerset Loaded"
echo "Changes propagated"
echo "Exiting gracefully from editpf.sh"
exit 0
else
echo "Rulerset not loaded, check syntax or connection between
firewalls"
echo "Exiting dirt and quick from edit.pf.sh"
exit 1
fi
else
echo "Changes ABORTED By User"
echo "Recovering old configuration file"
sleep 1
mv /etc/pf.conf.orig /etc/pf.conf
pfctl -f /etc/pf.conf
echo "Exiting gracefully from editpf.sh"
exit 0
fi
-----------------------------------------------------------------------
-----Mensagem original-----
De: [EMAIL PROTECTED] em nome de C. L. Martinez
Enviada: ter 14/11/2006 13:37
Para: [email protected]
Cc:
Assunto: Script to sync pf rules for CARP fws
Hi all,
Somebody knows where I can find a good shell script to sync pf.conf rules
over a several Openbsd firewalls using CARP?
many thanks.
