help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: running cfengine across firewall


From: Russell Adams
Subject: Re: running cfengine across firewall
Date: Mon, 31 Jan 2005 07:11:25 -0600
User-agent: Mutt/1.4.2.1i

Whats that famous OSS quote?

"Before many eyes, all bugs are shallow."

I don't mind using an application specific protocol on a LAN, but on
the internet I prefer to use a wide spread protocol. Perhaps its the
hiding in a crowd mentality, or the hope that with huge numbers of
people relying on SSH, holes will be found quickly and fixed.

Really, cfservd is alot easier.

It just occurred to me, but maybe we can tunnel cfservd (tcp port 5308?)
over stunnel or a traditional SSH tunnel. That would rock!

I wonder what type of key issues would be involved connecting to
localhost for everything. Can we dynamically set port numbers for
cfservd connections? That would cinch it!

On a different security related note, I wish that cfengine supported
GPG. I don't care where my configs get downloaded from, only that they
are signed as coming from the proper administrator to prevent
tampering. Does anyone else see this as useful?

Keep up the good work Mark. =]

Russell

On Mon, Jan 31, 2005 at 08:38:51AM +0100, address@hidden wrote:
> 
> I know that many folks think like this -- is it safe to open
> your firewall? But do you have any reason that your firewall
> software has any fewer bugs than cfengine might have? ;)
> 
> Ask youself *why* you don't want to open your firewall.
> 
> Mark
> 
> On 31 Jan, Tim Nelson wrote:
> > On Sun, 30 Jan 2005, Russell Adams wrote:
> > 
> >> Perhaps we should compare notes. ;]
> >>
> >> Then again, I should clarify. I only use rsync/ssh to transfer data
> >> back from my hosts, not to copy to them.
> >>
> >> Updates via rsync/ssh is a push type of solution, which I experimented
> >> with only briefly. I preferred pull vs push, and worked out another
> >> method using signed, per-host tarballs on a webserver.
> > 
> >     I agree that pull is better, but I didn't want to open my firewall 
> > :).  So I used push in this one case.
> > 
> >     :)
> > 
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Work: +47 22453272            Email:  address@hidden
> Fax : +47 22453205            WWW  :  http://www.iu.hio.no/~mark
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> 
> 
> _______________________________________________
> Help-cfengine mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/help-cfengine
> 
-----------------------------
Russell Adams
address@hidden
http://www.adamsinfoserv.com/




reply via email to

[Prev in Thread] Current Thread [Next in Thread]