Failover modda birden fazla OpenBSD makineyi FW olarak konuslandirdigimizda Firewall’a bir kural girmek istersek her ikisine de eklememiz gerekiyor.Ya da sistem dosyalarindan birinde bir degisiklik yapildiginda ayni degisikligin diger FW’larda da yapilmasi gerekir fakat OpenBSD PF’in boyle bir ozelligi yok.
O zaman is basa dusuyor diyerek kisa bir arastirma sonrasi kendi cozumumuzu uyguluyoruz.
Cozum basit: Birden fazla host’ta es zamanli komut calistiracak bir yapi kullanmak. Bunun icin ssh-agent+tentakel kullaniyordum, ayni yapiyi bu tip bir sistemde de kullanabiliriz.
once hostlara ait ssh keyler olusturularak aralarinda trust olusturuyoruz sonrasinda kurallarin senkronizasyonu icin asagidaki scripti calistirmak kaliyor.
#!/bin/sh
##Failover modda calisan FW ip’leri.
hosts[0]=172.16.10.1
hosts[1]=172.16.10.2
for x in ${hosts[*]}; do
scp pf.conf [email protected]$x:/etc/
done
tentakel -g my_firewalls “pfctl -f /etc/pf.conf”
Tentakel yerine sssh ile de komutlarin calistirilmasini saglayabilirdik . Tentakel kullanmanin faydasi komutlarin paralel olarak calistirilmasidir. Script kullansaydik komutlar ard arda kullanilacagi icin tam bir senkronizasyondan bahsedemezdik.
Konu ile ilgili arastirma yaparken rastladigim diger bir script, biraz daha karmasik ama daha kontrollu bir yapi sunuyor.
#!/usr/local/bin/bash
# Editpf.sh by Leonardo Rodrigues de Mello Copyright 2006
# llmello.eu.org
# Licensed under the terms of GNU GPL version 2.
# FW1 is the master firewall,
# from whom firewall 02 syncronize it configuration.
# Any Edit or Change must be done in FW1
#Hostname of Firewall 01,
FW1="fw1"
#Hostname of Firewall 02
FW2="fw2"
#Making backup of Pf.conf
cp /etc/pf.conf /etc/pf.conf.orig
#Lets edit the pf.conf in the master firewall
echo "Editing PF.conf in $FW1"
sleep 1
vi /etc/pf.conf
#Get Date to archive changes
date=`date +%y-%m-%d-%H-%M`
#Checking if the syntax of the changes are ok
if pfctl -f /etc/pf.conf
then
echo "The syntax of the file apears to be ok"
sleep 1
else
echo "The syntax of the file appears to have error"
echo "Restoring old configuration file"
cp /etc/pf.conf.orig /etc/pf.conf
echo "exiting with ERROR"
exit 1
fi
#Checking Diferences Between the Two Firewalls Configuration Files
echo "Checking Diferences Between pf.conf in $FW2 and $FW1"
sleep 1
diff -u <(ssh root$FW2 'cat /etc/pf.conf') <(ssh root$FW1 'cat
/etc/pf.conf') > /var/log/mudancas/2.0/$date.pf.conf
less /var/log/mudancas/2.0/$date.pf.conf
#Giving the user the chance to abort the changes
echo "Can i propagate the changes in pf.conf between the TWO FIREWALLS?(Y/N)"
read anwser
if [ $anwser = "Y" ] || [ $anwser = "y" ]
then
echo "Propagating the Changes"
sleep 1
scp /etc/pf.conf root$FW2:/etc/pf.conf
echo "Checking if the changes were sucessfully done"
sleep 1
if diff -u <(ssh root$FW2 'cat /etc/pf.conf') <(ssh root$FW1 'cat
/etc/pf.conf') && pfctl -f /etc/pf.conf && ssh root$FW2 'pfctl -f
/etc/pf.conf'
then
echo "Rulerset Loaded"
echo "Changes propagated"
echo "Exiting gracefully from editpf.sh"
exit 0
else
echo "Rulerset not loaded, check syntax or connection between
firewalls"
echo "Exiting dirt and quick from edit.pf.sh"
exit 1
fi
else
echo "Changes ABORTED By User"
echo "Recovering old configuration file"
sleep 1
mv /etc/pf.conf.orig /etc/pf.conf
pfctl -f /etc/pf.conf
echo "Exiting gracefully from editpf.sh"
exit 0
fi
