I have been assigned the task of maintaining and configuring my organization's firewall and gateway routers, and I'm looking for some advice on how to manage the static route table.
(As context, please keep in mind that A) I'm a programmer, not a sysadmin, B) I'm very new to maintaining this piece of infrastructure, and C) I'm not interested in defending my company's decision to put me in charge of it; I'm not sure I agree, but it's the job I've got)
Here's the current setup, as far as I'm able to tell:
- An OpenBSD firewall that uses pf for firewall rules with a default of
block in log all
,pass out
and a set of rules that permit traffic between VLANs (I'm oversimplifying, here, I'm sure, but that's the basics. Also, not the focus of my question. - Redirects from external IPs to internal hosts are accomplished using either
rdr pass
entries in pf.conf or static routes. When should I use one or the other?? pf.conf
andrc.local
are managed in a VCS, and are pushed to the firewall by a remote script that does (essentially) this:scp confs/pf.conf fw:/etc/pf.conf scp confs/rc.local fw:/etc/rc.local ssh fw "/sbin/pfctl -f /etc/pf.conf"
This works fine for firewall rule changes; those are applied immediately, but the real trick is with static routes. They're set up in rc.local as a series of route add
statements:
...
route add 192.0.32.136/32 192.0.32.11
route add 192.0.32.137/32 10.10.3.13
...
The problem here is that when I change the set of routes in VCS, I can't just re-run rc.local to refresh the routing table. I'd like to create a script that I can store in VCS that will both run on startup to set up the static routing, and be runnable whenever the routes change in order to set them up the same way every time. Is this possible? If so, how?
It's been awhile since I've played with OpenBSD, but I believe the main difference between rdr and a static route is whether or not NATing is applied. Hosts with externally routable IPs can use either, but non-routable IPs would only work with rdr.
As far as the routes, would switching the commands to
route change
rather thanroute add
work? That way rerunning the script would modify, rather than add new routes.