Quick PF sync
Posted by Marius Voila on July 06, 2010 in London, U.K . — 0 comments This post contains 323 wordsThis is a small bash script for syncing PF rules ant tables from one firewall to another (if changes are made to fw1, this script is running on fw2). The script requires ssh keys to be generated and configured for autologin. The script also saves backups of old configs when replacing them.
Create the folders /root/pf and /root/pf/backup on fw2 and save this script as /root/pf/sync.sh. The script assumes that PF rules are in /etc/pf.conf and that tables are stored in /etc/tables (every file in this folder is synced).
#!/usr/local/bin/bash
PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"
TIME=`date +"%Y%m%d%H%M"`
cd /root/pf/
ping -c1 fw1 > /dev/null 2>&1
if [ "$?" -eq "0" ]; then
mkdir files
scp fw1:/etc/pf.conf files/
scp -r fw1:/etc/tables files/
if [ -f files/pf.conf ]; then
md5 -q files/pf.conf > md5_new.txt
md5 -q files/tables/* >> md5_new.txt
NEW=`md5 -q md5_new.txt`
md5 -q /etc/pf.conf > md5_running.txt
md5 -q /etc/tables/* >> md5_running.txt
RUNNING=`md5 -q md5_running.txt`
rm md5_new.txt
rm md5_running.txt
if [ "$NEW" != "$RUNNING" ]; then
echo $TIME Loading new PF >> log.txt
# Backing up old PF
mkdir backup/$TIME
cp /etc/pf.conf backup/$TIME/
cp -R /etc/tables backup/$TIME/
tar -zcf backup/$TIME.tar.gz backup/$TIME/*
rm -rf backup/$TIME
# Activating new PF
mv files/pf.conf /etc/pf.conf
rm /etc/tables/*
mv files/tables/* /etc/tables/
pfctl -f /etc/pf.conf
fi
fi
rm -rf files
else
echo $TIME FW1 is down, dont sync >> log.txt
fi