Personal tools
You are here: Home IT Documentation How-tos Using the Metro subversion repository for firewall rules
Log in


Forgot your password?
 
Document Actions

Using the Metro subversion repository for firewall rules

Explains how to export and use the repository on a firewall, as well as setting up client access using the command line SVN client. Chris will be adding tortisesvn instructions.

Purpose

Set up version tracking and logged centralized change management of OpenBSD pf rules.

Prerequisities

An OpenBSD firewall, root access to said firewall, and a computer to use to use an SVN client on.

Step by step

Exporting the 'firewallruleset' directory of the 'lawrlinux' repository

This a clean, read-only copy of the current firewall ruleset, which we will link to /etc/fw, and run pfctl against.

Log into the firewall and become root, then:

mkdir /svn
# --force is necessary to overwrite any existing files.
cd /svn ; svn export --force http://svn.metro.ucdavis.edu/lawrlinux/firewallruleset
# move our old fw directory out of the way and link in our new repository
mv /etc/fw /etc/fw.old
ln -s /svn/firewallruleset /etc/fw
# now run pfctl

This export we just created will not automatically receive changes.  To synchronize the firewall and the repository one must:

cd /svn ; svn export --force http://svn.metro.ucdavis.edu/lawrlinux/firewallruleset
# run pfctl

Ideally this should be automated with a cron script that runs something like this:

#!/bin/sh
FWURL="http://svn.metro.ucdavis.edu/lawrlinux/firewallruleset"
EMAIL="alerts@rt.lawr.ucdavis.edu"
USER="someuser"
PASS="somepass"

HOST=`hostname`
cd /svn ; svn export --user $USER --pass $PASS --force $FWURL
PFCTLOUT=`pfctl -vnf /etc/fw/pf.conf`
if [ "$?" -ne "0" ]; then

        mail -s "RULESET ERROR on $HOST" $EMAIL << EOF
An error has been detected in the firewall ruleset on $HOST.  Error message is:
$PFCTLOUT
EOF

else
        pfctl -F all -f /etc/fw/pf.conf
fi

Client configuration using the SVN command line client

To check out our SVN repository do the following:

mkdir ~/svn ; cd ~svn
# to check out the entire lawrlinux repository:
## svn co http://svn.metro.ucdavis.edu/lawrlinux/
svn co http://svn.metro.ucdavis.edu/lawrlinux/
# or, check out merely the firewall rulesets:
## svn co http://svn.metro.ucdavis.edu/lawrlinux/firewallruleset
svn co 
http://svn.metro.ucdavis.edu/lawrlinux/firewallruleset

Ensuring your local copy has all of the changes on the server:

cd ~svn ; svn update

Making a change to a file or files

cd firewallruleset
vi pf.conf # make some changes
vi www80   # make some more changes

# create a new file, then add it to the repository
vi <newfile>
svn add <newfile>

# move or rename a file
svn mv <oldname> <newname>

# delete a file
svn rm <filename>

# for more help svn has very good interactive help
svn help

# to get more information about a particular subcommand, type
svn help ci

Finally, checking in your changes


# check in your changes to the server
svn ci

Further information

http://subversion.apache.org/docs/
« May 2013 »
Su Mo Tu We Th Fr Sa
1234
567891011
12131415161718
19202122232425
262728293031
 
Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: