Re: Multi Firewalls Admin
On Wed, 19 Apr 2006, Joachim Schipper wrote:
On Tue, Apr 18, 2006 at 12:47:31AM +0200, xanadu wrote:
Hi,
I have to remote admin 54 OpenBSD firewalls.
What tools can help me for that (Monitoring, Updates or PF broadcasts,
getting firewalls logs, automate processes, ...), is there all in one ?
It's usually better to assemble something from the individual best
components. Some possible choices:
- centralized syslog server(s) running syslog-ng, stock syslogd,
or whatever syslogd best suits your needs, taking into account
that the network being traversed is untrusted (i.e. some VPN
solution makes sense);
- automated log monitoring using, for instance, sec
(sysutils/sec)[1] or one of the other packages (swatch,
logsurfer, ...);
- automated network monitoring using, for instance, nagios[2]
(or mon, or ...);
- some custom scripting to handle pflog, or just keep it on the
host until needed - or just don't log it;
- distributing configuration and binaries using rdist (in base,
and works well, but uses a lot of bandwidth), rsync, or
something all-in like cfengine; or a simple FTP server; most
choices here allow you to run scripts;
- remote login using sshd, possibly augmented using something
that will run a command on N hosts;
- something more exotic, like using a single AFS-mounted image
for all of the firewalls, and telling the various syslogd
processes to log to the proper place.
Additionally, cron and/or /etc/{daily,weekly,monthly}.local is your
friend. Some custom scripting will be desired; use a Bourne shell, Perl,
Python, or whatever suits you.
Take into account that any package you do not need to install, is one
more package you don't have to depend on. Especially for a firewall,
the stock install is likely to be sufficient.
Joachim
[1] Sec is very powerful, but the documentation is a little lacking in
examples and writing a good ruleset will take time. OTOH, it is more
flexible, more powerful, and writing a good ruleset always takes time. I
have some working configurations for you, should you decide to take this
route.
Whatever you choose, it is vitally important that you *do* see anything
you have not mentioned in the configuration file. Those tend to be the
most 'interesting'.
[2] Nagios is quite useful, and makes pretty pictures. Good for showing
people.
I use this as well for distributed command execution and it works great.
http://tentakel.biskalar.de - "Tentakel"
-Matt-
Re: Multi Firewalls Admin
On 20/04/06, xanadu <[EMAIL PROTECTED]> wrote: > > Thanks for your answears ! > > You gave me nice ideas, if I'm resuming to admin my remote OpenBSD boxes : > > - Monitoring: Cacti, Nagios, Argus and a centralised syslog > - Distribued Configs: with CVS or maybe http://www.allard.nu/pfw/ for > PF or Rsync/Rdisf/FTP > - Distribued scripts: ssh > > It will be a lot of work, my 54 OpenBSD boxes will grow very fast to > x2x4... > > I'm really interested on a project focused on mass admin, let me know > if such thing is coming. > > Thanks again for your support it really help. I used to work on networks with thousands of routers to manage, in the end nothing was better than writing my own tools. I may be drunk now, but I do miss it. /Tony
Re: Multi Firewalls Admin
Thanks for your answears ! You gave me nice ideas, if I'm resuming to admin my remote OpenBSD boxes : - Monitoring: Cacti, Nagios, Argus and a centralised syslog - Distribued Configs: with CVS or maybe http://www.allard.nu/pfw/ for PF or Rsync/Rdisf/FTP - Distribued scripts: ssh It will be a lot of work, my 54 OpenBSD boxes will grow very fast to x2x4... I'm really interested on a project focused on mass admin, let me know if such thing is coming. Thanks again for your support it really help. Sacha.
Re: pfw (was: Multi Firewalls Admin)
MS> On 2006-04-19 10:43:43 +1000, Johan Allard wrote: >> If you check out http://www.allard.nu/pfw/, it's most likely going to >> be the closest thing for you. It can do PF broadcasts (installing a >> ruleset on multiple firewalls at once), examining logs on remote >> firewalls and do basic monitoring of your firewalls as well. MS> Any chance of it becoming a port? try to write the same to ports@openbsd.org -- Best regards, Alexandermailto:[EMAIL PROTECTED]
pfw (was: Multi Firewalls Admin)
On 2006-04-19 10:43:43 +1000, Johan Allard wrote: > If you check out http://www.allard.nu/pfw/, it's most likely going to > be the closest thing for you. It can do PF broadcasts (installing a > ruleset on multiple firewalls at once), examining logs on remote > firewalls and do basic monitoring of your firewalls as well. Any chance of it becoming a port? Best Martin -- http://www.tm.oneiros.de
Re: Multi Firewalls Admin
On Tue, Apr 18, 2006 at 12:47:31AM +0200, xanadu wrote:
> Hi,
>
> I have to remote admin 54 OpenBSD firewalls.
> What tools can help me for that (Monitoring, Updates or PF broadcasts,
> getting firewalls logs, automate processes, ...), is there all in one ?
It's usually better to assemble something from the individual best
components. Some possible choices:
- centralized syslog server(s) running syslog-ng, stock syslogd,
or whatever syslogd best suits your needs, taking into account
that the network being traversed is untrusted (i.e. some VPN
solution makes sense);
- automated log monitoring using, for instance, sec
(sysutils/sec)[1] or one of the other packages (swatch,
logsurfer, ...);
- automated network monitoring using, for instance, nagios[2]
(or mon, or ...);
- some custom scripting to handle pflog, or just keep it on the
host until needed - or just don't log it;
- distributing configuration and binaries using rdist (in base,
and works well, but uses a lot of bandwidth), rsync, or
something all-in like cfengine; or a simple FTP server; most
choices here allow you to run scripts;
- remote login using sshd, possibly augmented using something
that will run a command on N hosts;
- something more exotic, like using a single AFS-mounted image
for all of the firewalls, and telling the various syslogd
processes to log to the proper place.
Additionally, cron and/or /etc/{daily,weekly,monthly}.local is your
friend. Some custom scripting will be desired; use a Bourne shell, Perl,
Python, or whatever suits you.
Take into account that any package you do not need to install, is one
more package you don't have to depend on. Especially for a firewall,
the stock install is likely to be sufficient.
Joachim
[1] Sec is very powerful, but the documentation is a little lacking in
examples and writing a good ruleset will take time. OTOH, it is more
flexible, more powerful, and writing a good ruleset always takes time. I
have some working configurations for you, should you decide to take this
route.
Whatever you choose, it is vitally important that you *do* see anything
you have not mentioned in the configuration file. Those tend to be the
most 'interesting'.
[2] Nagios is quite useful, and makes pretty pictures. Good for showing
people.
Re: Multi Firewalls Admin
Sasha, If you check out http://www.allard.nu/pfw/, it's most likely going to be the closest thing for you. It can do PF broadcasts (installing a ruleset on multiple firewalls at once), examining logs on remote firewalls and do basic monitoring of your firewalls as well. Regards, //johan Hi, I have to remote admin 54 OpenBSD firewalls. What tools can help me for that (Monitoring, Updates or PF broadcasts, getting firewalls logs, automate processes, ...), is there all in one ? Regards, Sacha.
Re: Multi Firewalls Admin
On 4/17/06, xanadu <[EMAIL PROTECTED]> wrote: > I have to remote admin 54 OpenBSD firewalls. > What tools can help me for that (Monitoring, Updates or PF broadcasts, > getting firewalls logs, automate processes, ...), is there all in one ? I believe you're looking for Jr Network Admin, still not available as a package yet. If you can't find one (check behind the filing cabinets), you'll want to investigate snmp, syslog, cron, rsync, your favourite scripting language, and perhaps a nice monitoring solution (I've used Cacti, Nagois, and Argus at various times). -- Jon Simola Systems Administrator ABC Communications
Multi Firewalls Admin
Hi, I have to remote admin 54 OpenBSD firewalls. What tools can help me for that (Monitoring, Updates or PF broadcasts, getting firewalls logs, automate processes, ...), is there all in one ? Regards, Sacha.
