This is a small bash script for syncing PF rules ant tables from one firewall to another (if changes are made to fw1, this script is running on fw2). The script requires ssh keys to be generated and configured for autologin. The script also saves backups of old configs when replacing them.
Create the folders /root/pf and /root/pf/backup on fw2 and save this script as /root/pf/sync.sh. The script assumes that PF rules are in /etc/pf.conf and that tables are stored in /etc/tables (every file in this folder is synced).
#!/usr/local/bin/bash PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin" TIME=`date +"%Y%m%d%H%M"` cd /root/pf/ ping -c1 fw1 > /dev/null 2>&1 if [ "$?" -eq "0" ]; then mkdir files scp fw1:/etc/pf.conf files/ scp -r fw1:/etc/tables files/ if [ -f files/pf.conf ]; then md5 -q files/pf.conf > md5_new.txt md5 -q files/tables/* >> md5_new.txt NEW=`md5 -q md5_new.txt` md5 -q /etc/pf.conf > md5_running.txt md5 -q /etc/tables/* >> md5_running.txt RUNNING=`md5 -q md5_running.txt` rm md5_new.txt rm md5_running.txt if [ "$NEW" != "$RUNNING" ]; then echo $TIME Loading new PF >> log.txt # Backing up old PF mkdir backup/$TIME cp /etc/pf.conf backup/$TIME/ cp -R /etc/tables backup/$TIME/ tar -zcf backup/$TIME.tar.gz backup/$TIME/* rm -rf backup/$TIME # Activating new PF mv files/pf.conf /etc/pf.conf rm /etc/tables/* mv files/tables/* /etc/tables/ pfctl -f /etc/pf.conf fi fi rm -rf files else echo $TIME FW1 is down, dont sync >> log.txt fi
