On 29-07-2014 10:41, Andy wrote:
> Puppet is definatly a sledge hammer approach, but if you have lots of
> firewalls its great.
>
> We run around 13 or 14 pairs of OpenBSD firewalls now, and puppet
> allows us to maintain one common template based code base, and change
> only a couple of things specific to each environment (where each
> environment is a unique firewall pair).
>
> This makes upgrading and looking after this many firewalls possible
> for just one person.
> If I tried to manage that many firewalls on my own without puppet I
> would have lost the plot and all my hair by now.
>
> Another nice example of an appropriate application is that by using
> PuppetDB, a full IPSec VPN mesh is built automatically by puppet
> between every firewall according to the subnets behind each firewall
> pair. So if I add a single new subnet behind a remote office firewall,
> the 12 odd extra tunnels all get created automatically.
>
> But unless you are wanting to do stuff like that, then yes, I
> completely agree with Nick puppet is major over kill..
>
> Hope this helps.
> Cheers, Andy.
Hi,
All these new devops tools, that are supposed to make developers to
become sysadmins and sysadmins to edit some source code and magically
manage their machines, are making systems less secure by means of
simplicity. All boils down to the infamous "recipes". If you get the
wrong one, which by the way, there are lots of recipes being created by
people that don't know shit about system administration, then you are
doomed. Of course these tools can and should be used, but they should be
used by people that understand what they're doing "under the hood".
Now that I did my rant, to the OP question, I do this with git and
git branches. Since git is distributed, you don't need a central
repository in a separate machine, either one of the firewalls can be it.
I use gitolite for repo management. It's simple and have lots of
configuration options. I now use a hook that "watches" a specific branch
and sync pf.conf through the firewall machines. It even mails me after
it's done, or in case of any errors. And, to keep firewall specific
files, I use a common branch model. And when I merge things they get
replicated. In case of a disaster, any machine can be recovered from any
other, since git has the whole repository cloned into all machines. In
my case I have an external central repository that is backed up regularly.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
[demime 1.01d removed an attachment of type application/pkcs7-signature which
had a name of smime.p7s]
