# Centralized database for firewall



## pralive (Oct 13, 2011)

Hi All,

Can anyone suggest an idea for a centralized database for firewall (pf, ipf, ipfw)? My requirement is if we add one ip in database for blocking, that ip should be blocked in all servers. Can any suggest an idea for this?


----------



## phoenix (Oct 13, 2011)

Are you running a packet filter on a central firewall box (preferred)?  Or are you running separate packet filters on each individual server?


----------



## pralive (Oct 13, 2011)

Hi ,

thanks for ur reply, I am running separate firewalls on individual servers.That include pf,ipf and ipfw.Is it possible to have a centralized system for firewall.?so that if we add one ip to block in database(just a case) it should block in all servers?Manually adding each ip in all servers is quite difficult since i need to add ips frequently.Could you please suggest an idea? 

Thanks


----------



## wblock@ (Oct 13, 2011)

If they aren't even the same firewall, each will need scripts to add IP addresses to the shared database and query the database to update the local rules.  Adding a single firewall in front of all of them is easier.


----------



## pralive (Oct 13, 2011)

thanks for your valuable reply.

Thats a good one.For adding single firewall in front of all required a gateway right?But my servers are individual servers.If i am migrating all servers to a single firewall like pf,ipf or ipfw, is there any way to fetch rules directly from database?

Any reply is appreciated.

Thanks


----------



## SirDice (Oct 13, 2011)

pralive said:
			
		

> If i am migrating all servers to a single firewall like pf,ipf or ipfw, is there any way to fetch rules directly from database?


No, that's not possible. You would have to script something yourself.


----------



## CoTones (Oct 13, 2011)

Wild guess - Puppet?

http://projects.puppetlabs.com/projects/puppet/wiki/About_Puppet


----------



## pralive (Oct 13, 2011)

thanks to all for giving suggestions and helping me. Is puppet really can do this?


----------



## CoTones (Oct 13, 2011)

Sorry, don't know.


----------



## mix_room (Oct 18, 2011)

Puppet would let you distribute the same config-file to all servers. 

If you require a solution which dynamically adds ips to some form of blacklist, you would then have to update this config-file from each of the hosts. It should not be impossible, but I do not believe it is the best solution. 

I would go with the firewall-in-front solution.

EDIT: you might be able to create a bastard son of CARP and pfsync to achieve something like this.


----------



## geodni (Oct 22, 2011)

Also have a look on PFS here dump/restore tool for PF. You will just have to use a simple script to automatically distribute your modifications :

validate new rule
make the rules modification you want in PF
test good working of new rules
dump rules
send the dump to all other firewalls
make other firewalls load new rules replacing old ones
But take care of this, any mistake will be immediatly distributed to all firewalls!


----------



## ecazamir (Oct 24, 2011)

This can be done with:
/sbin/pf
net/rsync
1. Create a template layout, use PF with tables loaded from files

A very short example:
/etc/pf.conf:

```
table <me> { self }
# the files on /etc/pf/global table will be synchronized by rsync
table <system_admins> file "/etc/pf/global/system_admins" persist
table <squid_clients> file "/etc/pf/local/squid_clients" persist
table <blacklist> file "/etc/pf/global/blacklist" persist

...
block in log all
block in quick inet from <blacklist> to any
block out quick inet from any to <blacklist>
pass in inet proto tcp from <system_admins> to <me>
pass in on $int_if inet proto tcp from <squid_clients> to <me> port = 3128 keep state
```

2. Create a repository containing the 'master copy' of the files used for pf's tables.
Sample filesystem hierarchy:
/pf_master/global/
 ./system_admins

```
10.0.0.1
10.0.0.2
```
 ./blacklist

```
192.0.2.1
192.0.2.2
```

3. Configure a rsync server on each machine which require replication and enable a 
	
	



```
post-xfer exec = /path/to/some/script/which/reloads/firewall
```
 command.
Sample rsync config, /usr/local/etc/rsyncd.conf

```
.... some lines trimmed
[firewall_cfg]
    path = /etc/pf
    comment = PF Configuration
    auth users = pfsync
    secrets file = /usr/local/etc/etc/rsyncd.secrets
    read only = false
    write only = false
    list = false
    transfer logging = true
    uid = 0
    gid = 0
    post-xfer exec = /etc/rc.d/pf reload
```

4. The script which is executed on the management station, after some changes on the master repository.
The complete file list is stored on /pf_master/file_list.txt:

```
global/system_admins
global/blacklist
global/some_other_file
```

The script

```
#!/bin/sh
TARGET_IP="10.x.x.1"
TARGET_NAME="target_name"
export RSYNC_PASSWORD=some_rsync_password

LOG_FILE="/var/log/pf/sync_${TARGET_NAME}_${TARGET_IP}.log"
SRC_DIR="/pf_master"

#set -x

# Replica ACL out
/usr/local/bin/rsync -rtz --no-owner --chmod=Fug+rw,Fo-rx,Dug+rwx,Do-rx \
    --files-from=${SRC_DIR}/file_list.txt \
    --log-file ${LOG_FILE} --log-file-format="%o %f %l" \
    -4 ${SRC_DIR} rsync://pfsync@${TARGET_IP}/firewall_cfg
```

Of course, this can be improved.


----------



## qsecofr (Nov 3, 2011)

I dunno why not.  Shouldn't be too terribly difficult to roll your own if need be.  I imagine level of difficulty differs with the firewall chosen.  IPFW appears to be shell script commands.  I use a simple text file for something similar.

```
...
# IPs i want to block
exec < /path/rc.ipfw_blocked_ip.txt
while read ip
do
        $ipfw -q table 2 add $ip
done
...
```

Being shell, I don't see why you couldn't use perl to fetch from a RDBM if that level of complexity were needed.


----------

