Macros

Macros are variables you can define for use within PF rules. They help keep your rules more maintainable, readable, and manageable. A macro name must begin with a letter, but can contain letters, numbers, and underscores. Frequent uses of macros include interface names, network numbers, and host names.

For example, network interfaces are generally identified by the name of the network card driver the interface uses: fxp, xl, ne, and so on. If you change your network card, you would have to rewrite all the rules that use that network card. By using a macro, you can change the interface name in one place and have it propagate throughout your rules.

 External_if="fxp0" 

If the IP addresses behind your firewall were 209.69.69.0 through 209.69.69.255, you could define a macro for these addresses. If you added more addresses, you could just add them to the macro.

 Internal_ip="209.69.69.0/24" 

Similarly, you can define macros for each IP address on your firewall, in case you have to renumber your network. Also, when reading PF rules, it's much easier to read well-named macros than dozens and dozens of IP addresses. Is fxp0 the internal or external network card? You'd have to look it up, but "$External_Int" is unambiguous.

When a rule needs the term represented by the macro, just use the macro instead. This makes it easy to change information consistently throughout your rules and greatly reduces the risk of typos.

 block in on $External_int from $Internal_ip 

Similarly, you could write macros for groups of machines. You can easily group machines by purpose and trivially give them the same rulesets.

 Webservers="{209.69.69.8, 209.69.69.12, 209.69.69.87}" 

When you have a new web server, or one of your old web servers dies, just edit the macro appropriately to have your firewall rules apply to the correct machines. Similarly, we will keep repeating the port numbers 80 and 443 (the standard web ports) throughout our rules. Instead, you can just do this:

 webports = "{80, 443}" 

Macro names cannot contain any characters other than letters, numbers, and underscores, and they cannot consist entirely of a PF keyword such as "pass," "block," or "scrub." You could name a macro "nat1," but not "nat."

Combined with braces, macros can make your rules much simpler. Here, we write one rule to allow access to all appropriate ports on all of our web servers:

 pass in proto tcp from any to $webservers port $webports 

When you add a new web server, you just have to add its IP address to the list in the "webservers" macro. This trivial example doesn't do the concept justice, but once you have dozens of servers with many rules applying to them, you'll see the usefulness of macros.