Re: PF and a feauture I requested weeks ago

[Mailing Lists <lists@coredump.com.ar>]

van Helsing wrote:
> PFSYNC is a usefull feauture of PF but it has one big disadvantage:
> I need a direct cable connection to the other PC.
> 
> The only way to sync. all FWs in my VPN is that I've a script wich
> noticed when the PF.conf has changed (e.g. because SNORT) and wich login
> all the other Servers/FWs replace the PF.conf and rebooting the FW.
> 
> Is there any solution wich allow PFSYNC to send the SYNC-Packetes
> through an encrypted connection (SSH/SSL?) to other systems?
> I think such a solution is easy to include because there could be a
> host-authentication with the SSH-Keys.
> 
> Because Theo is working for OpenBSD and OpenSSH such a solution could
> maybe easy integrated in the new release of OpenBSD.
> 
> Just a question because I don't know for now a system wich enable me to
> do that easily.
> Because if I wanna block an IP I wanna block them net-wide at ALL computers.
> 
> vh
> 
> [demime 0.98d removed an attachment of type application/pgp-signature]
> 

I think pfsync is intended to syncronyze pf states, not rulesets.

You may very well run use rsync to sync /etc/pf.conf, it runs on top
of ssh so you wont expose rsync as a daemon to the network.

Or you may run pfctl inserting on a table/archor from inetd on 127.0.0.1
and feed it trought ssh tunnels from a central point. Maybe is even
possible to filter on lo0 from other users than the one that created the 
ssh tunnel.


Juan