Idea: would it be difficult to run PFRE as a remote system?

[bob-u]

If I did not want to have PHP, web server,etc running on the firewall itself, how difficult would it be difficult to run web portion of the PFRE on a separate machine, and if yes, which parts of PFRE would have to stay on the firewall itself?

[sonertari]

As described in the README file, PFRE uses a design similar to MVC and privsep (see the Features section of the README). The Model uses the pfctl utility to test rules. So the Model and the Controller should run on an OpenBSD system. The View can run on somewhere else, because it is as dumb or thin as possible. In fact, the View can be developed using any programming language you like, and then it can communicate with the Controller over SSH. This is exactly what A4PFFW and W4PFFW are doing for PFFW and UTMFW. Actually, if you enable UseSSH feature of the View, the same happens on the same machine for the PHP WUI too.

In summary, since the PHP View of PFRE is dumb and thin, I think it does not make sense trying to run it remotely, because the heavy work is done by the Controller and the Model anyway. Plus they both should run on OpenBSD.

So, if you don't want to run such software on your firewall, I'd recommend that you install PFRE on a separate stand-alone system, develop your rules there, and then copy the pf.conf file generated by PFRE to your actual firewall.