Re: Firewalls - Ease of Use and Maintenance?

[Richard Kulawiec <rsk () gsp org>]

On Thu, Nov 10, 2011 at 08:30:46AM -0800, Jonathan Lassoff wrote:
> > As I said, it's not a pf problem. ?Commercial firewalls will do all this
> > sort of thing off the shelf. ?It's a pain to have to write scripts to do
> > this manually.
>
> Agreed. This is rather a pain to have to do manually each time (either
> scp'ing or scripting). It's unfortunate that there's not a
> conventional script or mechanism for doing this.

I don't see why this is a problem.   I've been using tools like make, RCS
(or CVS or subversion), perl, and rsync to maintain all kinds of unified
and diverse configurations on small and large numbers of systems for many
years.  It's simple, it's scalable, it's easy to write, it's portable,
it's robust (provided you pay attention to command exit codes), and it
allows easy integration between disparate configuration files.  (As an
example of that last: I can cause changes in pf.conf to be synchronized
with appropriately-matching changes in sendmail.cf or named.conf.  Use of
"make"  ensures that they're kept in a consistent state.  Of course, if I
make a mistake, they're consistently wrong: but that's highly desirable.)

Yes, you have to understand the interrelationships between all these
moving parts to write the scripts/makefiles; but that's a good thing.
And the payoff is that you get FAR more flexibility than any commercial
product.  And it's free (modulo your time investment...and you'd be
investing time anyway, trying to make some vendor's setup do what you want).

---rsk