On Tue, Jul 29, 2014 at 02:41:36PM +0100, Andy wrote: > Puppet is definatly a sledge hammer approach, but if you have lots of > firewalls its great.
Not to mention, you can use it for your other non-firewall systems as well. > Another nice example of an appropriate application is that by using > PuppetDB, a full IPSec VPN mesh is built automatically by puppet between > every firewall according to the subnets behind each firewall pair. So if I > add a single new subnet behind a remote office firewall, the 12 odd extra > tunnels all get created automatically. > > But unless you are wanting to do stuff like that, then yes, I completely > agree with Nick puppet is major over kill.. For even a small environment, being able to ERB template your PF configs is really nice. You can use a master if you want, or you can just do standalone "puppet apply", where you ship all of the code needed to each system that needs it. I'm a Puppet user for more than just firewall systems, which allows me to take a given node, say another server, and insert its IP into a table on the firewall, completely dynamicly without having to statically set the IPs in pf.conf. There are lots of interesting things you can do with Puppet that allow you build dynamic tables based on the classification of other systems in your environment. For the curious: https://github.com/xaque208/puppet-bsd I started working on this over the last year, with the idea in mind that I'd eventually be able to define the high level components I care to manage on a given BSD system and things would just happen. Eventually things like OSPF, DHCP configs etc. There are plenty of modules that work on Linux, but not as many that work on BSD, OpenBSD even more so. -- Zach [demime 1.01d removed an attachment of type application/pgp-signature]
