Central configuration for DHCP, DNS and Firewall

Question

What software do you use for central network management ?

What I mean is, you record a machine's name, mac address, open ports and other info, and the program generates DHCP, DNS and Firewall configuration snippets, to be included from main config files.

For example the central network manager tool has the following fields in the config file:

machine1 | 10.0.0.22 | 01:23:45:67:89:ab | 80/tcp, 53/udp, 53/tcp | owner | room

This becomes three files, one for DNS

machine1 IN A   10.0.0.22 ; owner , room

one for DHCP

host machine1 { hardware ethernet 01:23:45:67:89:ab; fixed-address 10.0.0.22; } # owner , room

one for Firewall (example for Linux iptables)

-A mycustomchain -d 10.0.0.22 -p tcp --dport 80 -j ACCEPT  # machine1, owner, room
-A mycustomchain -d 10.0.0.22 -p udp --dport 53 -j ACCEPT # machine1, owner, room

It is not too hard to code something by hand, but are there any good ready made solutions with good track record ? Possible plusses: supporting different dns, dhcp, firewall software, having plugin-like support for copying the updated confiurations to relevant servers and restarting services.

I am looking for a tool targeting Linux systems, but windows or BSD only solutions are welcome for completeness' sake.

pete · Answer 1 · 2009-05-30T22:31:13.437

The script below doesn't directly answer your question, but as an example of the type of thing you can do with a perl script it may be useful. My setup is a building with 4 floors and a more restricted admin network. I use the script to add new machines as they arrive, recording the mac address and giving them an address that corresponds to the floor they're on. I use a $PWD/.floorN file to record the address so I can correctly increment. It also adds forward and reverse DNS records and IPAC-NG rules to record bandwidth. The script makes some assumptions as to the locations of files and the presence of some text in them to allow substitution for new records.

#!/usr/bin/perl -w
##################
($firstname, $secondname, $mac, $floor) = @ARGV;
$mac2 = lc $mac;
@requires = qw/firstname secondname mac/;
foreach(@requires) {
unless($$_) {
print "\$$_ not found, Please run this as $0 Firstname Secondname MAC floor\n";
exit;
}
}
unless($floor) { $floor = "0"; }
open(IPS, "+<.floor$floor");
$count = 1;
while (<IPS>) { $count++; }
print IPS "$firstname$secondname :$count\n";
print <<END;
adding to /etc/dhcp3/dhcpd.conf

host $firstname$secondname {
hardware ethernet $mac2;
fixed-address 10.0.1$floor.$count;
option routers 10.0.1$floor.254; 
}
END
open(ORIG, "/etc/dhcp3/dhcpd.conf");
@orig = <ORIG>; 
close(ORIG);
$add = <<END;
host $firstname$secondname {
hardware ethernet $mac2;
fixed-address 10.0.1$floor.$count;
option routers 10.0.1$floor.254;
}
END
open(CONF, "+>/etc/dhcp3/dhcpd.conf");
foreach(@orig) {
$line = $_;
$line =~ s/  \# new entries here/$add\n  \# new entries here/;
print CONF $line;
}

close(CONF);
system("/etc/init.d/dhcp3-server restart");
close(IPS);
# add DNS records for this host
print "Adding DNS Entries ...\n";
open(REV, ">>/var/cache/bind/1$floor.0.10.in-addr.arpa");
print REV "$count\t\tPTR\t$firstname$secondname.zone.com.\n";
close(REV);
open(ZONE, ">>/var/cache/bind/zone.com");
print ZONE "$firstname$secondname\t28800\tIN\tA\t10.0.1$floor.$count\n";
close(ZONE);
system("rndc reload");
# Add two ipac rules, so we can see traffic going to/from this IP
print "Adding IP Accounting rules ...\n";
open(IPAC, ">>/etc/ipac-ng/rules.conf");
print IPAC <<END;
$firstname.$secondname in|ipac~i|+|all|0/0|10.0.1$floor.$count
$firstname.$secondname out|ipac~o|+|all|10.0.1$floor.$count|0/0
END
close(IPAC);

hayalci · Accepted Answer · 2012-12-29T19:36:42.787

1

There are two programs for generating configuration files;

edited Dec 29 '12 at 19:36

answered Jan 17 '10 at 22:54

hayalci

3,611
3
25
37

score 0 · Answer 3 · edited Apr 13 '17 at 12:14

0

This falls under the broader category of configuration management, which is addressed elsewhere on serverfault (eg here). I'd recommend puppet for this type of thing.

This approach is rather more indepth than the simple examples you were talking about, but it also allows for much more control of your systems

edited Apr 13 '17 at 12:14

Community

1

answered May 30 '09 at 22:36

Daniel Lawson

5,426
21
27

We are already using puppet for server management, but there is no built-in support for this type of work in puppet, also there is no available puppet recipe on its web site. – hayalci May 30 '09 at 22:45
Puppet is the tool you would use to generate the configurations and push them out to your servers then, given that you've already got it in use. And it naively supports different variants of servers, because you're in charge of writing configuration files. If what you want is a meta-tool to help you generate configuration files based on some other database of information, look for information about external node classification, or perhaps ask that question here instead :) Perhaps I'm missing something about your question? – Daniel Lawson May 31 '09 at 05:50
umm. I actually asked about a program for generating configuration files, it's in the second paragraph. – hayalci Jun 01 '09 at 16:06
Sorry, I wasn't clear. Puppet will generate config files for you. If what you want is a tool to generate puppet manifests, that's a different question. – Daniel Lawson Jun 01 '09 at 19:28

Central configuration for DHCP, DNS and Firewall

3 Answers3