How to manage a firewall script with minor tweaks for different machines?
I've recently setup nftables firewalls on the machines of my little home
network. I was a little optimistic and thought I could get by with a
simple one that only allows ssh and nfs in i.e. two TCP ports and mDNS
with its slightly more complex rules.
But then... One machine has a radius server that needs UDP port 1812
open. And another is a print server with CUPS and SMB which apparently
need at least TCP ports 631 and 137 open.
How could I neatly incorporate these minor tweaks in a single nft
script? I was thinking of git branches where I can make changes to the
"main" firewall and merge those changes to the slightly tweaked
branches. Or possibly also some preprocessor type of thing that
generates three versions of the firewall script. Or just generate the
whole nft scripts with the small variants. Just wondering what other
people are doing with this sort of thing?
I also need some way of pushing these firewall scripts and other config
stuff over to the machines too. It's not a huge network but manually
logging into each machine, overwriting /etc/nftables.conf and restarting
nftables.service is a pain. cdist looks interesting and simple, does
anyone have experience with it?
Reply to: