Hi All,
I have just move our Campus firewall over to PF (from TAMU's
drawbridge if anyone is interested) and it is working just fine. I have
been off this list for several months but I have briefly checked the
archives but could not find anything really relevant so I am posting
here.
First some background:
We have around 10,000 machines on campus most with static IP addresses,
we have an database in which we store various network and host based
information including firewalling requirements for individual systems.
About 7000 of these are allowed out to the Net. The vast bulk of these
have standard access which allows full outbound access and no inbound.
Around 300 system offer various services to the net and require inbound
entries.
I build the pf.conf file directly from the database and at the moment I
put all 'standard' machines in a single table which is used by a single
rule. Works brilliantly :)
To get the rest of the system going quickly I simply built up a table
(using perl hashes) for each protocol/port/in|out combination and
automatically generated the appropriate rules for them. This also works
fine at the moment.
There are some very small tables, in one case one with a single entry.
Since the conf file is generated by a program it is trivial to change it
so that for table with less than "n" entries I simply generate multiple
rules.
One observation (confirmed by pftop) is that most of the small tables
only handle small numbers of packets. This might not always be the case
(eg if someone installs a video server running on some strange port and
starts streaming udp packets...)
My question for the list is what is a sensible value for "n"?
At the moment I a regenerating the whole pf.conf file whenever there are
changes in the database, I then use ssh to copy the file to the firewall
and use pfctl -f to load it. As soon as I have some time I plan to just
load the deltas using pfctl (or a custom C program using the ioctls) to
update just the tables and rules that have changed. This would be
easier although probably not by much if everything was table based.
We are also looking at moving many of our 'standard' machines to dynamic
table whereby they will have to log in to a 'service' which will open up
their access through the firewall and inform our traffic meter which
user is on the particular IP, this will pave the way for allowing
increased usage of dynamic IP addresses. Rather like pfauth but we will
write a custom daemon to run on the firewall.
Has anyone else done anything like this?
Cheers and thanks, Russell.
--
Russell Fulton /~\ The ASCII
Network Security Officer \ / Ribbon Campaign
The University of Auckland X Against HTML
New Zealand / \ Email!
