PF Macro names vs 'Firewall Object' names - feature request for more flexible naming

Many other enterprise class firewall and network security systems (such as Fortinet, Cisco, Juniper, CheckPoint, PaloAlto, etc.) allow the use of the period ("."), the hyphen ("-") and some even the commercial at ("@") symbol in the names of firewall objects such as Network or IP Address objects, Fully Qualified Domain Name objects, IP Address Range objects and Service objects.

It is common practise amongst network security professionals to include things such as hostnames, FQDNs, email addresses and IP or subnet addresses, or a combination of these separated by a period, hyphen or underscore, within the actual name of the object being created for use in a rule or policy.

It is my understanding that it is the 'MACRO' names in the pf.conf file that are the equivalent of the 'Object Name' on other aforementioned platforms.

It would be really, really useful to change the pf source code to enable periods ("."), hyphens ("-") and commercial at symbols ("@") to be used within the macro name (if that is what the Macro name essentially is), and for the maximum length to be at least 64 characters long.

Examples of firewall object names that are accepted by many other FW platforms, but not by PF:
  • my.domain.com
  • host-23_192.168.1.23
  • vlan77-10.8.77.0-26
One way to achieve this would be to implement UUIDs (per RFC4122) as an internal object identifier for each object which maps to the object name, the UUID being the thing referenced in the rule/policy 'under the hood'. This would allow much greater flexibility, but at the same time, be easy to manage and easy to automate with APIs etc.

For example, if:
  • host-23_192.168.1.23 --> de470d77-0082-4bb4-afce-fe15ef75b60b
  • host-37_192.168.2.37 --> a8e6d8ae-6ccf-4ddf-ab74-6c2c34d6e1a5
  • tcp-HTTPS_8083 --> bb9c82a7-e2cd-404d-94ff-cec058e81e6f
a compiled rule might read like:
pass out proto tcp from {de470d77-0082-4bb4-afce-fe15ef75b60b} to {a8e6d8ae-6ccf-4ddf-ab74-6c2c34d6e1a5} port {bb9c82a7-e2cd-404d-94ff-cec058e81e6f}

but in a Policy GUI, it might read like:
RuleIDFromToServiceDirectionAction
1host-23_192.168.1.23host-37_192.168.2.37tcp-HTTPS_8083OutPass
 
Back
Top