Abusing pf and cpp for fun and profit (revisited)

Published
by
Florent Thoumie
on November 17, 2006
in FreeBSD
. Comments

Well this second version doesn’t add much to the first one but it’s worth an update. First the command is now called “include” rather than “#include”, and you don’t need the chevrons anymore. Just put pfctl.cpp in /sbin, chmod it 755 and set pf_program to /sbin/pfctl.cpp in /etc/rc.conf.

This is particularly useful when you have servers having each a different a subset of services. You can have a common package to install all sub-rulesets in /etc/pf.conf.d/ and select only the ones you need. Imagine you have srv1 with www/pop3 and srv2 with mysql/imap. Create a /etc/pf.conf.d/ and populate it with some files (say rules.www, rules.pop3, rules.imap, rules.mysql). Basically, you’ll have in srv1’s pf.conf something like: 
# basic definitions
include rules.www
include rules.pop3
and in srv2’s /etc/pf.conf: 
# basic definitions
include rules.mysql
include rules.imap
If you’re using comments in /etc/pf.conf.d/ files, you’ll have to use comments that cpp understands (ie. not starting with ‘#’).

If you’re using this trick, I’d be happy to hear about you. If you have a less hack-ish solution to do the same thing, I’d also be happy to read about it :-)

Share and Enjoy:
  • Digg
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Twitter

Related posts:

  1. RFC: OpenSMTPD for FreeBSD I don’t like writing long posts so let’s go...

Related posts brought to you by Yet Another Related Posts Plugin.

0 Responses to “Abusing pf and cpp for fun and profit (revisited)”

Feed for this Entry Trackback Address
  1. No Comments

Leave a Reply