hi,
Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy.
What I use at the moment:
1) Puppet, to setup and manage a fairly complex per service type ruleset that is then maintained on the remote machines by puppet ( in that it brings together all the various bits of iptables snippets based on what manifests and roles are deployed to a machine, then builds a firewall locally on the mchine ). We also use something similar, but at a much simpler level within the .centos.org infrastructure. Problem with this is that unless one is familliar with the whole stack of machine state/policy management, its quite intimidating. Which then means that there is plenty of breakage, which in turn then means I need to maintain and run a complete set of VM's that emulate the production environment ( including their IP's ) and run cross VM tests before stuff gets rolled out. So yes, large hole and lots of potential for non-related issues to impact release. Some people even argue that having a release based workflow for firewall's is not good, I'd like to disagree :)
2) In another setup, I use puppet to basically just manage static /etc/sysconfig/iptables files. Pretty low tech, and very easy to cause damage since testing-rollout-deploy is impossible. But the other guy who also needs to manage these seems to find it easy.
3) Yet another setup I've used in the past was with a svn repo and using a post-commit hook, run some tests followed by clusterssh! to deploy the iptables files and restart services. Finally replaced that with a slack based deployment, since that allowed me to atleast run some santity tesing and rollback if I ended up locking 'core' host. The problem ofcourse was that its not easy to test remote inbound connections this way ( without using a proxy, but then the proxy creates another layer of problems and flakyness ).
4) Physically logging into machines to make policy changes(!) I do this for my laptop's :)
5) Using a 'git pull' from cron on a bunch of machines, and using a central git repository. Each machine would then do a iptables reload, the only advantage of this over (3) is that I can use metainfo like TAG's and ROLE's in the commit log's, and have only specific machines react to specific changes. Flip side: needing to track and build a knowledgebase around these TAG's meant that I almost never ever use this, and prefer to just have firewall policy that mostly works for the whole set of machines I run this on.
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
- KB