[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf.conf and 'include' option

To: Andrey Smagin <asmagin@rapidds.com>
Subject: Re: pf.conf and 'include' option
From: Chuck Yerkes <chuck+obsd@snew.com>
Date: Wed, 31 Oct 2001 20:47:37 -0800
Cc: misc@openbsd.org
Content-Disposition: inline
References: <00bb01c16240$46def390$1601a8c0@andrey>
User-Agent: Mutt/1.2.5i

I've used ipfilter with m4 for YEARS.
Basically,
if [ -f ipf.conf.m4 ]; then
   m4 ipf.conf.m4 | ipf -Fa -f -
else if [ -f /etc/ipf.conf ]; then
	ipf -Fa -f /etc/ipf.conf
fi

Basically, I can do INCLUDEs, I can also substitute
BADLAN with le0 and GOODLAN with hme0

It's not like Unix has a lack of tools.  You could
also use cpp just as well.

Quoting Andrey Smagin (asmagin@rapidds.com):
> Hello.
> 
> Is there any way to use some kind of 'include' option in pf.conf to be able
> to construct the final ruleset from several small rulesets, each in a
> separate file? For example if I need to block several hundreds of Nimda
> infected hosts from any access to my server, I have to edit the main pf.conf
> file all the time - is it the only option?
> 
> May be it's possible to add new rules to already loaded ruleset instead of
> replacing it?
> Something like 'pfctl -Radd /etc/pf-blocked-hosts.conf'.
> 
> I read the PF How-to and all the man pages, but did not find anything like
> this. Did I miss something?
> 
> Thank you in advance!
> 
> --
> Andrey

Prev by Date: Dual boot question: Was Re: Bad Magic with WinNT (2000)
Next by Date: Re: kernel programming
Prev by thread: Re: Dual boot question: Was Re: Bad Magic with WinNT (2000)
Next by thread: Re: kernel programming
Index(es):
- Date
- Thread