hi,
Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy.
What I use at the moment:
1) Puppet, to setup and manage a fairly complex per service type ruleset that is then maintained on the remote machines by puppet ( in that it brings together all the various bits of iptables snippets based on what manifests and roles are deployed to a machine, then builds a firewall locally on the mchine ). We also use something similar, but at a much simpler level within the .centos.org infrastructure. Problem with this is that unless one is familliar with the whole stack of machine state/policy management, its quite intimidating. Which then means that there is plenty of breakage, which in turn then means I need to maintain and run a complete set of VM's that emulate the production environment ( including their IP's ) and run cross VM tests before stuff gets rolled out. So yes, large hole and lots of potential for non-related issues to impact release. Some people even argue that having a release based workflow for firewall's is not good, I'd like to disagree :)
2) In another setup, I use puppet to basically just manage static /etc/sysconfig/iptables files. Pretty low tech, and very easy to cause damage since testing-rollout-deploy is impossible. But the other guy who also needs to manage these seems to find it easy.
3) Yet another setup I've used in the past was with a svn repo and using a post-commit hook, run some tests followed by clusterssh! to deploy the iptables files and restart services. Finally replaced that with a slack based deployment, since that allowed me to atleast run some santity tesing and rollback if I ended up locking 'core' host. The problem ofcourse was that its not easy to test remote inbound connections this way ( without using a proxy, but then the proxy creates another layer of problems and flakyness ).
4) Physically logging into machines to make policy changes(!) I do this for my laptop's :)
5) Using a 'git pull' from cron on a bunch of machines, and using a central git repository. Each machine would then do a iptables reload, the only advantage of this over (3) is that I can use metainfo like TAG's and ROLE's in the commit log's, and have only specific machines react to specific changes. Flip side: needing to track and build a knowledgebase around these TAG's meant that I almost never ever use this, and prefer to just have firewall policy that mostly works for the whole set of machines I run this on.
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
- KB
Am Freitag, den 30.10.2009, 18:42 +0100 schrieb Karanbir Singh:
hi,
Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy.
I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me.
Chris
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
On 10/31/2009 10:01 PM, Christoph Maser wrote:
Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy.
I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me.
how do you achieve the actual 'distribution' of content ?
Am Sonntag, den 01.11.2009, 21:07 +0100 schrieb Karanbir Singh:
On 10/31/2009 10:01 PM, Christoph Maser wrote:
Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy.
I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me.
how do you achieve the actual 'distribution' of content ?
It compiles shell scripts which are simply copied and launched. From the FAQ:
---------------------------------------------------------------------- 1) you can simply copy it to the firewall machine and then run it by hand; 2) you can use built-in installer and 3) you can use a shell script to copy this file to where it should be and then run it. Built-in installer uses ssh to communicate with the firewall, ----------------------------------------------------------------------
You could propably also simply commit the compiled rules to some repository and have puppet ship/execute the files. One thing i really liked about fwbuilder is that you have a central object pool for custom ports, ip addresses and networks which you can use in different firewall rulesets so if something updates you simply recomplile/distribute all firewall rules.
Chris
financial.com AG
Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553
Dear Karan. ...
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards.
Testing could be done with Spacewalk's monitoring capabilities or external tools.
Best Regards Marcus
Marcus Moeller wrote:
Dear Karan. ...
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards.
<snip> So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April.
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
At work, we're getting pressure to provide all kinds of info and control on what's on the servers and desktops (we're heavy tech - a lot of our users are on Linux), and he just brought up OCS Inventory. He said it took him about 5 min (sounded more like half an hour, actually), and though there are a number of things - docs not great, and the translations leave something to be desired (it from the French), I'm impressed. It's a *lot* slicker, a lot more finished, and easier to install and configure, it seems, than Spacewalk, which took me *many* weeks to install, configure, and get working correctly.
OCS Inventory *looks* (I've only played with it for an hour or two) as though I can build scripts for it to run, to install, upgrade, etc, remote systems.
mark
mark wrote:
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). For example, the Courier mail server, which I've had in production for the past several years, is currently at version 0.63.0. I think it is much more important to look at the age of the product, the amount of development activity, and the size of the user community.
mark wrote:
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). For example, the Courier mail server, which I've had in production for the past several years, is currently at version 0.63.0. I think it is much more important to look at the age of the product, the amount of development activity, and the size of the user community.
Even so.... And, as I mentioned, it was a nightmare trying to install, configure, and get working. *bleah*
And yes, I found that there was a fix to one major problem that they did *not* know (in the Oracle interface, you have to bring the shared and global memory up almost to the limit. Mentioned that on the Spacewalk list, too: dunno if it went into their docs.)
mark
On Mon, 2 Nov 2009, Bowie Bailey wrote:
mark wrote:
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects).
True. Anyone remember this one? 0.99pl92
That's a linux kernel from the time when Linus just would _not_ bump it up to v1.0 and move on. He stayed with 0.99 versions for a lonnnnnnng time.
I remember kernel v.0.99pl13... Back then it seemed that everything Linux was version < 1.0. Stuff was solid then too. I had one crash in four years. Comparing with Windows 3.1, 3.2, etc., I was almost thinking that any software version higher than 1.0 couldn't be any good. (And so we all learn and learn.)
From: Curt Mills hacker@fluke.com To: CentOS mailing list centos@centos.org Date: 11/02/2009 01:11 PM Subject: Re: [CentOS] Keeping iptables in sync across multiple machines Sent by: centos-bounces@centos.org
On Mon, 2 Nov 2009, Bowie Bailey wrote:
mark wrote:
*I* would *never* put something that was under 1.0 (actually, 1.0.1)
into
production.
Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects).
True. Anyone remember this one? 0.99pl92
That's a linux kernel from the time when Linus just would _not_ bump it up to v1.0 and move on. He stayed with 0.99 versions for a lonnnnnnng time.
Dear Mark,
...
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards.
<snip> So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April.
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
0.6 is quite okay, but we are using a standalone Oracle instead of XE.
Besides that you can always buy a Satellite Server if you need a proven enterprise management system. We are using both products in our scenario.
Best Regards Marcus
Dear Mark,
...
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The
<snip>
So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been \ released, the week before my contract ended the end of April.
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
0.6 is quite okay, but we are using a standalone Oracle instead of XE.
Ah! One good point. We used XE, which has hard limits on table size and memory.
Besides that you can always buy a Satellite Server if you need a proven enterprise management system. We are using both products in our scenario.
Where I was working wasn't ready to do that. But then, they didn't want to spring to keep me on.
*shrug*
Got a real, permanent job now.
mark
mark wrote:
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards.
<snip> So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April.
*I* would *never* put something that was under 1.0 (actually, 1.0.1) into production.
At work, we're getting pressure to provide all kinds of info and control on what's on the servers and desktops (we're heavy tech - a lot of our users are on Linux), and he just brought up OCS Inventory. He said it took him about 5 min (sounded more like half an hour, actually), and though there are a number of things - docs not great, and the translations leave something to be desired (it from the French), I'm impressed. It's a *lot* slicker, a lot more finished, and easier to install and configure, it seems, than Spacewalk, which took me *many* weeks to install, configure, and get working correctly.
OCS Inventory *looks* (I've only played with it for an hour or two) as though I can build scripts for it to run, to install, upgrade, etc, remote systems.
OCS inventory is indeed nice and works across several platforms. However it is not going to build a system from scratch for you and it doesn't give you fine-grained control (or much at all) over the timing of when remote commands or package installs will happen after you've scheduled them.
On 11/01/2009 07:51 AM, Marcus Moeller wrote:
So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files.
isnt that just achieving a case of sending out static iptables files ?
-
Bowie Bailey -
Christoph Maser -
Curt Mills -
Karanbir Singh -
KFisler@lakelandcc.edu -
Les Mikesell -
m.roth@5-cent.us -
Marcus Moeller -
mark