On Thu, Nov 10, 2011 at 08:30:46AM -0800, Jonathan Lassoff wrote:
As I said, it's not a pf problem. ?Commercial firewalls will do all this sort of thing off the shelf. ?It's a pain to have to write scripts to do this manually.
Agreed. This is rather a pain to have to do manually each time (either scp'ing or scripting). It's unfortunate that there's not a conventional script or mechanism for doing this.
I don't see why this is a problem. I've been using tools like make, RCS (or CVS or subversion), perl, and rsync to maintain all kinds of unified and diverse configurations on small and large numbers of systems for many years. It's simple, it's scalable, it's easy to write, it's portable, it's robust (provided you pay attention to command exit codes), and it allows easy integration between disparate configuration files. (As an example of that last: I can cause changes in pf.conf to be synchronized with appropriately-matching changes in sendmail.cf or named.conf. Use of "make" ensures that they're kept in a consistent state. Of course, if I make a mistake, they're consistently wrong: but that's highly desirable.) Yes, you have to understand the interrelationships between all these moving parts to write the scripts/makefiles; but that's a good thing. And the payoff is that you get FAR more flexibility than any commercial product. And it's free (modulo your time investment...and you'd be investing time anyway, trying to make some vendor's setup do what you want). ---rsk