On Wed, 19 Apr 2006, Joachim Schipper wrote:
On Tue, Apr 18, 2006 at 12:47:31AM +0200, xanadu wrote:
Hi,
I have to remote admin 54 OpenBSD firewalls.
What tools can help me for that (Monitoring, Updates or PF broadcasts,
getting firewalls logs, automate processes, ...), is there all in one ?
It's usually better to assemble something from the individual best
components. Some possible choices:
- centralized syslog server(s) running syslog-ng, stock syslogd,
or whatever syslogd best suits your needs, taking into account
that the network being traversed is untrusted (i.e. some VPN
solution makes sense);
- automated log monitoring using, for instance, sec
(sysutils/sec)[1] or one of the other packages (swatch,
logsurfer, ...);
- automated network monitoring using, for instance, nagios[2]
(or mon, or ...);
- some custom scripting to handle pflog, or just keep it on the
host until needed - or just don't log it;
- distributing configuration and binaries using rdist (in base,
and works well, but uses a lot of bandwidth), rsync, or
something all-in like cfengine; or a simple FTP server; most
choices here allow you to run scripts;
- remote login using sshd, possibly augmented using something
that will run a command on N hosts;
- something more exotic, like using a single AFS-mounted image
for all of the firewalls, and telling the various syslogd
processes to log to the proper place.
Additionally, cron and/or /etc/{daily,weekly,monthly}.local is your
friend. Some custom scripting will be desired; use a Bourne shell, Perl,
Python, or whatever suits you.
Take into account that any package you do not need to install, is one
more package you don't have to depend on. Especially for a firewall,
the stock install is likely to be sufficient.
Joachim
[1] Sec is very powerful, but the documentation is a little lacking in
examples and writing a good ruleset will take time. OTOH, it is more
flexible, more powerful, and writing a good ruleset always takes time. I
have some working configurations for you, should you decide to take this
route.
Whatever you choose, it is vitally important that you *do* see anything
you have not mentioned in the configuration file. Those tend to be the
most 'interesting'.
[2] Nagios is quite useful, and makes pretty pictures. Good for showing
people.
I use this as well for distributed command execution and it works great.
http://tentakel.biskalar.de - "Tentakel"
-Matt-
