DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th July 2014
Skinny Skinny is offline
Port Guard
 
Join Date: Jul 2012
Posts: 25
Thanked 0 Times in 0 Posts
Default How to deploy pf.conf to multiple machines?

I've got two machines for firewalling. It's good for redundancy but tedious in management:
- edit pf.conf on machine1
- pfctl -f pf.conf
- scp pf.conf machine2:/etc/
- ssh machine2 "pfctl -f /etc/pf.conf"

What software do openbsd folks use for config management?

I've heard good things about ansible but that requires python on the managed machine. I don't want to install any packages on the firewall.
Reply With Quote
  #2   (View Single Post)  
Old 5th July 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,710
Thanked 214 Times in 189 Posts
Default

Take a look at rdist(1). Disclaimer: I've never used it. My firewalls do not have identical PF configurations, even though they use carp(4) for redundancy and pfsync(4) for failover. This is because they each provide a different mix of additional application services.

Last edited by jggimi; 5th July 2014 at 02:27 PM. Reason: corrected man page chapter
Reply With Quote
  #3   (View Single Post)  
Old 5th July 2014
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,888
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by Skinny View Post
What software do openbsd folks use for config management?
Puppet can be found in packages. I can't comment further on it as I don't use it.
Quote:
I don't want to install any packages on the firewall.
...which limits your configuration to "push"-style management. At that point, you could implement any number of schemes which would:
  • pull from some form of repository.
  • massage the files into their final form.
  • push to the endpoint firewalls via scp(1).
Puppet might be able to all of this itself. Personally, I do the repository portion using devel/git as the backend SCM database, but other tools or schemes could be used. I use Git as I want to keep an audit trail of what I have done & when. I also use Git for other things, so familiarity helped in the decision.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Joomla sites misused to deploy malware J65nko News 0 12th December 2012 01:33 PM
Rsync to compare two Synology - NAS machines? Broodjegehaktmetmayo Other BSD and UNIX/UNIX-like 0 24th June 2012 12:02 PM
Starting ntpd in cron for machines not always connected to the Net J65nko Guides 1 28th November 2009 03:49 AM
dhclient.conf: multiple fixed-address statements xiphias FreeBSD General 14 19th June 2008 06:42 AM
What do do with these machines? billousek Off-Topic 8 11th June 2008 01:04 PM


All times are GMT. The time now is 07:09 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick