Hi All, I have just move our Campus firewall over to PF (from TAMU's drawbridge if anyone is interested) and it is working just fine. I have been off this list for several months but I have briefly checked the archives but could not find anything really relevant so I am posting here.
First some background: We have around 10,000 machines on campus most with static IP addresses, we have an database in which we store various network and host based information including firewalling requirements for individual systems. About 7000 of these are allowed out to the Net. The vast bulk of these have standard access which allows full outbound access and no inbound. Around 300 system offer various services to the net and require inbound entries. I build the pf.conf file directly from the database and at the moment I put all 'standard' machines in a single table which is used by a single rule. Works brilliantly :) To get the rest of the system going quickly I simply built up a table (using perl hashes) for each protocol/port/in|out combination and automatically generated the appropriate rules for them. This also works fine at the moment. There are some very small tables, in one case one with a single entry. Since the conf file is generated by a program it is trivial to change it so that for table with less than "n" entries I simply generate multiple rules. One observation (confirmed by pftop) is that most of the small tables only handle small numbers of packets. This might not always be the case (eg if someone installs a video server running on some strange port and starts streaming udp packets...) My question for the list is what is a sensible value for "n"? At the moment I a regenerating the whole pf.conf file whenever there are changes in the database, I then use ssh to copy the file to the firewall and use pfctl -f to load it. As soon as I have some time I plan to just load the deltas using pfctl (or a custom C program using the ioctls) to update just the tables and rules that have changed. This would be easier although probably not by much if everything was table based. We are also looking at moving many of our 'standard' machines to dynamic table whereby they will have to log in to a 'service' which will open up their access through the firewall and inform our traffic meter which user is on the particular IP, this will pave the way for allowing increased usage of dynamic IP addresses. Rather like pfauth but we will write a custom daemon to run on the firewall. Has anyone else done anything like this? Cheers and thanks, Russell. -- Russell Fulton /~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!