[ previous ] [ next ] [ threads ]
 From:  Ole Barnkob Kaas <obk at tet dot dk>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Proposal: Management suite for m0n0wall
 Date:  Thu, 11 May 2006 23:39:42 +0200
Hi all,

With 20+ m0n0wall boxes in the field, central management is slowly 
moving to the top of the wish list. Others have had similar wishes and 
others again have even offered to build a win32 app. I would fancy a 
server solution instead where the management suite is running 24/7. Why?
Some of my m0n0s are on dynamic ip, others are behind other nat-boxes 
and keeping track of ip addresses for the rest is... well.. not fun. So 
why not let all the m0n0s contact the central management server instead 
and download a new config if one has been updated. The time between the 
contacts could be specified in a TTL value (not in the config.xml) which 
is read each time a contact is made. And now we are at it - why not make 
deplayment easier too. Example:

- admin: Boot a fresh m0n0 with default config
- Fetch WAN ip and management server ip from dhcp (or login and specify 
them manually).
- Request a unique name from the management server
- admin: Login to the management server and specify a unique name.
- fetch unique name and ca.crt from management server. Create key and 
csr and send it to the management server.
- admin: Sign the csr on the management server.
- Pull crt and encrypted config.xml from management server.
- Decrypt config.xml, store it and reboot.
- On bootup check for new config.xml and TTL value.
- When TTL expires, check for config.xml and read TTL value.

- If unable to contact management server within 5 mins after rebooting 
with a new config - revert to previous config.

- Local changes to the m0n0 is uploaded to the management server once a 
day - and when requested.

- A dead m0n0? Boot up a fresh one and specify the name of the dead one 
instead of a unique name.

Maybe the management server could be run on a "fat" m0n0. The entire 
admin interface could be done in php and the encrypted configs and TTL 
values could be served by the http server. More advanced features like 
versioning and auditing would most likely require a "real" server.

Sounds nice? But is it easy to build. I don't know much about BSD (I 
work mostly with Debian) and I'm not sure how much of the SSL stuff is 
already in m0n0 for the certificate stuff. And all the fool proof stuff 
migth not be so easy to implement as well. Maybe the certificate stuff 
should be skipped and configs should be fetched with https instead.

Anyway - fetching and installing a config.xml from a http server would 
be a good start :-) Suggestions how to do this are welcome. I could 
ofcourse go ahead with wget, but maybe there are better alternatives 
(smaller size) I'm all ears :-)


Ole Kaas