Many other enterprise class firewall and network security systems (such as Fortinet, Cisco, Juniper, CheckPoint, PaloAlto, etc.) allow the use of the period ("."), the hyphen ("-") and some even the commercial at ("@") symbol in the names of firewall objects such as Network or IP Address objects, Fully Qualified Domain Name objects, IP Address Range objects and Service objects.
It is common practise amongst network security professionals to include things such as hostnames, FQDNs, email addresses and IP or subnet addresses, or a combination of these separated by a period, hyphen or underscore, within the actual name of the object being created for use in a rule or policy.
It is my understanding that it is the 'MACRO' names in the pf.conf file that are the equivalent of the 'Object Name' on other aforementioned platforms.
It would be really, really useful to change the pf source code to enable periods ("."), hyphens ("-") and commercial at symbols ("@") to be used within the macro name (if that is what the Macro name essentially is), and for the maximum length to be at least 64 characters long.
Examples of firewall object names that are accepted by many other FW platforms, but not by PF:
For example, if:
pass out proto tcp from {de470d77-0082-4bb4-afce-fe15ef75b60b} to {a8e6d8ae-6ccf-4ddf-ab74-6c2c34d6e1a5} port {bb9c82a7-e2cd-404d-94ff-cec058e81e6f}
but in a Policy GUI, it might read like:
It is common practise amongst network security professionals to include things such as hostnames, FQDNs, email addresses and IP or subnet addresses, or a combination of these separated by a period, hyphen or underscore, within the actual name of the object being created for use in a rule or policy.
It is my understanding that it is the 'MACRO' names in the pf.conf file that are the equivalent of the 'Object Name' on other aforementioned platforms.
It would be really, really useful to change the pf source code to enable periods ("."), hyphens ("-") and commercial at symbols ("@") to be used within the macro name (if that is what the Macro name essentially is), and for the maximum length to be at least 64 characters long.
Examples of firewall object names that are accepted by many other FW platforms, but not by PF:
- my.domain.com
- host-23_192.168.1.23
- vlan77-10.8.77.0-26
For example, if:
- host-23_192.168.1.23 --> de470d77-0082-4bb4-afce-fe15ef75b60b
- host-37_192.168.2.37 --> a8e6d8ae-6ccf-4ddf-ab74-6c2c34d6e1a5
- tcp-HTTPS_8083 --> bb9c82a7-e2cd-404d-94ff-cec058e81e6f
pass out proto tcp from {de470d77-0082-4bb4-afce-fe15ef75b60b} to {a8e6d8ae-6ccf-4ddf-ab74-6c2c34d6e1a5} port {bb9c82a7-e2cd-404d-94ff-cec058e81e6f}
but in a Policy GUI, it might read like:
RuleID | From | To | Service | Direction | Action |
1 | host-23_192.168.1.23 | host-37_192.168.2.37 | tcp-HTTPS_8083 | Out | Pass |