Home / server / Questions / 15886
Accepted
hayalci
Asked: 2009-05-31 14:11:07 +0800 CST

Central configuration for DHCP, DNS and Firewall

  • 772

What software do you use for central network management ?

What I mean is, you record a machine's name, mac address, open ports and other info, and the program generates DHCP, DNS and Firewall configuration snippets, to be included from main config files.

For example the central network manager tool has the following fields in the config file:

machine1 | 10.0.0.22 | 01:23:45:67:89:ab | 80/tcp, 53/udp, 53/tcp | owner | room

This becomes three files, one for DNS

machine1 IN A   10.0.0.22 ; owner , room

one for DHCP 

host machine1 { hardware ethernet 01:23:45:67:89:ab; fixed-address 10.0.0.22; } # owner , room

one for Firewall (example for Linux iptables)

-A mycustomchain -d 10.0.0.22 -p tcp --dport 80 -j ACCEPT  # machine1, owner, room
-A mycustomchain -d 10.0.0.22 -p udp --dport 53 -j ACCEPT # machine1, owner, room

It is not too hard to code something by hand, but are there any good ready made solutions with good track record ? Possible plusses: supporting different dns, dhcp, firewall software, having plugin-like support for copying the updated confiurations to relevant servers and restarting services.

I am looking for a tool targeting Linux systems, but windows or BSD only solutions are welcome for completeness' sake.

firewall domain-name-system networking dhcp network-management

3 Answers

  1. The script below doesn't directly answer your question, but as an example of the type of thing you can do with a perl script it may be useful. My setup is a building with 4 floors and a more restricted admin network. I use the script to add new machines as they arrive, recording the mac address and giving them an address that corresponds to the floor they're on. I use a $PWD/.floorN file to record the address so I can correctly increment. It also adds forward and reverse DNS records and IPAC-NG rules to record bandwidth. The script makes some assumptions as to the locations of files and the presence of some text in them to allow substitution for new records.

    #!/usr/bin/perl -w
##################
($firstname, $secondname, $mac, $floor) = @ARGV;
$mac2 = lc $mac;
@requires = qw/firstname secondname mac/;
foreach(@requires) {
unless($$_) {
print "\$$_ not found, Please run this as $0 Firstname Secondname MAC floor\n";
exit;
}
}
unless($floor) { $floor = "0"; }
open(IPS, "+<.floor$floor");
$count = 1;
while (<IPS>) { $count++; }
print IPS "$firstname$secondname :$count\n";
print <<END;
adding to /etc/dhcp3/dhcpd.conf

host $firstname$secondname {
hardware ethernet $mac2;
fixed-address 10.0.1$floor.$count;
option routers 10.0.1$floor.254; 
}
END
open(ORIG, "/etc/dhcp3/dhcpd.conf");
@orig = <ORIG>; 
close(ORIG);
$add = <<END;
host $firstname$secondname {
hardware ethernet $mac2;
fixed-address 10.0.1$floor.$count;
option routers 10.0.1$floor.254;
}
END
open(CONF, "+>/etc/dhcp3/dhcpd.conf");
foreach(@orig) {
$line = $_;
$line =~ s/  \# new entries here/$add\n  \# new entries here/;
print CONF $line;
}

close(CONF);
system("/etc/init.d/dhcp3-server restart");
close(IPS);
# add DNS records for this host
print "Adding DNS Entries ...\n";
open(REV, ">>/var/cache/bind/1$floor.0.10.in-addr.arpa");
print REV "$count\t\tPTR\t$firstname$secondname.zone.com.\n";
close(REV);
open(ZONE, ">>/var/cache/bind/zone.com");
print ZONE "$firstname$secondname\t28800\tIN\tA\t10.0.1$floor.$count\n";
close(ZONE);
system("rndc reload");
# Add two ipac rules, so we can see traffic going to/from this IP
print "Adding IP Accounting rules ...\n";
open(IPAC, ">>/etc/ipac-ng/rules.conf");
print IPAC <<END;
$firstname.$secondname in|ipac~i|+|all|0/0|10.0.1$floor.$count
$firstname.$secondname out|ipac~o|+|all|10.0.1$floor.$count|0/0
END
close(IPAC);
    • 2
  2. Best Answer

    There are two programs for generating configuration files;

    • 1

  3. This falls under the broader category of configuration management, which is addressed elsewhere on serverfault (eg here). I'd recommend puppet for this type of thing.

    This approach is rather more indepth than the simple examples you were talking about, but it also allows for much more control of your systems

    • 0