Pftab is a small standalone rc.d script for FreeBSD written in SH to manage pf anchors inspired by fstab, but instead of mounting files it’s loading rules into anchors //(°°3)//
Installation
Copypaste the script in /usr/local/etc/rc.d/pftab.
Configuration
Add anchors in /etc/pf.conf
Read the pf.conf man page.
Add files with rules
Create configuration files with rules to be loaded into the anchors. I put them in /etc/pf/.
Create /usr/local/etc/pftab
Syntax
The syntax of pftab is inspired by fstab, empty lines and lines starting with # are ignored (see example below).
# this is a comment, just before en empty line
file1.conf anchor1 flags
#file2.conf anchor2 flagsFlags
- defaults or empty flags: the rules are loaded when the system is starting up, anchors are flushed before being loaded and the script produce an error if something goes wrong (nonexistent file or syntax error).
- noauto: the anchor is not loaded at system startup.
- noflush: the anchor is never flushed (useful for ssh rules!⁾.
- nofail: the script produce a warning instead of an error.
You can add multiple flags separated by ‘,’ (like noauto,noflush).
Example
# File Anchor Flags
/etc/pf/ssh.conf ssh noflush
/etc/pf/ssh_remote.conf ssh_remote noauto,noflush
/etc/pf/rproxy.conf rproxy
/etc/pf/rproxy_remote.conf rproxy_remote
/etc/pf/rproxy_bypass.conf rproxy_bypass noauto
/etc/pf/nfs.conf nfs
/etc/pf/smtp.conf smtpEnable pftab
Edit /etc/rc.conf and add the line:
pftab_enable="YES"
You can add a suffix option, for example, pftab_suffix= »_conf » will translate ssh from pftab to ssh_conf into pf.conf.
Extra commands
service pftab load [anchor] [...]
Load the anchor(s) passed in as arguments.
service pftab flush [anchor] [...]
Flush the anchor(s) passed in as arguments.
Bonus
Pftab is started after unbound //(°°3)//