Abusing pf and cpp for fun and profit (revisited) at Florent Thoumie

Abusing pf and cpp for fun and profit (revisited)

Published November 17th, 2006 in FreeBSD

Well this second version doesn’t add much to the first one but it’s worth an update. First the command is now called “include” rather than “#include”, and you don’t need the chevrons anymore. Just put pfctl.cpp in /sbin, chmod it 755 and set pf_program to /sbin/pfctl.cpp in /etc/rc.conf.

This is particularly useful when you have servers having each a different a subset of services. You can have a common package to install all sub-rulesets in /etc/pf.conf.d/ and select only the ones you need. Imagine you have srv1 with www/pop3 and srv2 with mysql/imap. Create a /etc/pf.conf.d/ and populate it with some files (say rules.www, rules.pop3, rules.imap, rules.mysql). Basically, you’ll have in srv1’s pf.conf something like:

# basic definitions
include rules.www
include rules.pop3

and in srv2’s /etc/pf.conf:

# basic definitions
include rules.mysql
include rules.imap

If you’re using comments in /etc/pf.conf.d/ files, you’ll have to use comments that cpp understands (ie. not starting with ‘#’).

If you’re using this trick, I’d be happy to hear about you. If you have a less hack-ish solution to do the same thing, I’d also be happy to read about it

Add to del.icio.us - Digg this article

No Responses to “Abusing pf and cpp for fun and profit (revisited)”

Feed for this Entry Trackback Address

No Comments

Florent Thoumie

Abusing pf and cpp for fun and profit (revisited)

No Responses to “Abusing pf and cpp for fun and profit (revisited)”

Leave a Reply

Search