Hi all,
thanks for all your input to my small question about how to keep the pf.conf
in sync!
I have to care for exactly one firewall cluster, so I would like to avoid
complex tools for this task. I will probably use rdist.
Have fun!
Regards
Christoph
Private Universit?t Witten/Herdecke gGmbH
On Sat, Aug 02 2014 at 09:01, Nick Holland wrote:
On 08/01/14 08:12, Claer wrote:
On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
...
I'll leave you to develop the script.
My design philosophy:
1) No additional hw, other than the two firewalls.
2) EITHER machine should be able to
I wrote a little script sometime ago and it run from crontab every 5 min
and do:
check and generate md5 of important files like hostname.if , pf include
files, etc ...
All necessaries modification is monitored natively by OpenBSD, but there is
an ossec in deployment as well.
ifstated is used to
On Fri, Aug 1, 2014 at 4:56 AM, R0me0 *** knight@gmail.com wrote:
I wrote a little script sometime ago and it run from crontab every 5 min
and do:
check and generate md5 of important files like hostname.if , pf include
files, etc ...
doh !
this is done in daily/security
look at
Hello,
On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
On 07/28/14 07:50, Peus, Christoph wrote:
Hi all,
is there a standard or recommended way to keep the pf.conf on the CARP
cluster
members in sync?
Thanks!
No one standard or recommended way, but lots of ideas, as
On 01-08-2014 09:07, sven falempin wrote:
doh !
this is done in daily/security
look at /etc/changelist
It's not md5, it's sha256. md5 should not be used anymore. But what
Romeo does is to run a script from cron every 5 minutes. Daily runs,
obviously, daily. It's not suited for the task at hand.
On Fri, Aug 1, 2014 at 8:22 AM, Giancarlo Razzolini
grazzol...@gmail.com wrote:
On 01-08-2014 09:07, sven falempin wrote:
doh !
this is done in daily/security
look at /etc/changelist
It's not md5, it's sha256. md5 should not be used anymore. But what
Romeo does is to run a script from cron
On 01-08-2014 09:32, sven falempin wrote:
actually if you dont put a + it is plain diff and a backup in /var,
the security could be run more often (it is called in the cron), and
because the script is present there is no need to write it again.
security(8) is called by daily(8). You could call
Configuration management tools, like Puppet, can quickly abstract
knowledge of a particular technology away from the user and isolate
understanding for said technology to a smaller group of people with
those skills. This is the nature of technology, though, is it not?
Abstractions built
Hi Giancarlo,
I would like to thank your background (:
Yes the important files is included @changelist and it's sha256, but as
firewall rules has modifications during all time, another nodes need be
updated. So, it's because of this I run the script every 5 min and I sync
it using SCP.
* My
On 08/01/14 08:12, Claer wrote:
On Mon, Jul 28 2014 at 07:23, Nick Holland wrote:
...
I'll leave you to develop the script.
My design philosophy:
1) No additional hw, other than the two firewalls.
2) EITHER machine should be able to act as master.
3) EITHER machine should be able to
On Tue, Jul 29, 2014 at 02:41:36PM +0100, Andy wrote:
Puppet is definatly a sledge hammer approach, but if you have lots of
firewalls its great.
Not to mention, you can use it for your other non-firewall systems as
well.
Another nice example of an appropriate application is that by using
On 31-07-2014 14:47, Zach Leslie wrote:
I'm a Puppet user for more than just firewall systems, which allows me
to take a given node, say another server, and insert its IP into a table
on the firewall, completely dynamicly without having to statically set
the IPs in pf.conf. There are lots of
On Thu, Jul 31, 2014 at 05:54:48PM -0300, Giancarlo Razzolini wrote:
On 31-07-2014 14:47, Zach Leslie wrote:
I'm a Puppet user for more than just firewall systems, which allows
me
to take a given node, say another server, and insert its IP into a
table
on the firewall, completely
On 31-07-2014 19:47, Zach Leslie wrote:
Yes, and Puppet can exec those commands for you. Tools like fail2ban
can manage the local system's table, but can't (to my knowledge)
distribute the contents of that table to other systems in the
environment dynamically. PuppetDB gives you this and
On 29-07-2014 10:41, Andy wrote:
Puppet is definatly a sledge hammer approach, but if you have lots of
firewalls its great.
We run around 13 or 14 pairs of OpenBSD firewalls now, and puppet
allows us to maintain one common template based code base, and change
only a couple of things specific
Hi,
Puppet or Ansible would be the best choice as then you can
normalise/manage every service (from pf.conf to named.conf, ipsec.conf
to isc-dhcp, and ospfd.conf to bgpd.conf) etc on the firewall pairs.
We do this and we are now managing over 50 files including Snort and
OSSEC etc..
On 07/28/14 23:21, sven falempin wrote:
On Mon, Jul 28, 2014 at 11:19 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Maybe puppet?
If this is your only fly, Puppet is one hell of a cannon to swat it
with. There are also things I think Puppet does well, and things it
does poorly.
On Mon, Jul 28, 2014 at 11:21:46PM -0400, sven falempin wrote:
On Mon, Jul 28, 2014 at 11:19 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Maybe puppet?
where are you storing the change history ?
My colleague and I (ab)use mercurial to this end, then blast the
configs out
Puppet is definatly a sledge hammer approach, but if you have lots of
firewalls its great.
We run around 13 or 14 pairs of OpenBSD firewalls now, and puppet
allows us to maintain one common template based code base, and change
only a couple of things specific to each environment (where each
Hi all,
is there a standard or recommended way to keep the pf.conf on the CARP cluster
members in sync?
Thanks!
Regards
Christoph
--
Christoph Peus
Universität Witten/Herdecke
Bereich Informationstechnologie
Tel: +49 2302 926-212
Fax: +49 2302 926-44857
mailto:christoph.p...@uni-wh.de
Hi Christoph,
here is my script to sync via rsync.
Please note i split pf.conf into 3 files because each router has local
specificies (some macros).
/etc/pf.conf: not synced
/etc/pf.sync.conf: filter rules
/etc/pf-nat.sync.conf: nat rules
=
#! /bin/sh
# VARS
Hi,
here is my script to sync via rsync.
Couldn't rdist(1) help ?
Denis
On Mon, Jul 28, 2014 at 1:44 PM, Denis Fondras open...@ledeuns.net wrote:
Hi,
here is my script to sync via rsync.
Couldn't rdist(1) help ?
Denis
it should ;)
The special command is used to specify sh(1) commands that are to be
executed on the remote host after the file in name list is
On 2014-07-28, Peus, Christoph christoph.p...@uni-wh.de wrote:
Hi all,
is there a standard or recommended way to keep the pf.conf on the CARP cluster
members in sync?
I scp files from a config master box where I have a bunch of config files
checked in to subversion. It's pretty
On 07/28/14 07:50, Peus, Christoph wrote:
Hi all,
is there a standard or recommended way to keep the pf.conf on the CARP cluster
members in sync?
Thanks!
No one standard or recommended way, but lots of ideas, as you can see.
Here's mine, but for the moment, I'll leave you to develop
Maybe puppet?
Regards
El jul 29, 2014 12:08 a.m., Nick Holland n...@holland-consulting.net
escribió:
On 07/28/14 07:50, Peus, Christoph wrote:
Hi all,
is there a standard or recommended way to keep the pf.conf on the CARP
cluster
members in sync?
Thanks!
No one standard or
On Mon, Jul 28, 2014 at 11:19 PM, Leonardo Santagostini
lsantagost...@gmail.com wrote:
Maybe puppet?
Regards
El jul 29, 2014 12:08 a.m., Nick Holland n...@holland-consulting.net
escribió:
On 07/28/14 07:50, Peus, Christoph wrote:
Hi all,
is there a standard or recommended way to
28 matches
Mail list logo