help-cfengine
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: running cfengine across firewall


From: Tim Nelson
Subject: Re: running cfengine across firewall
Date: Wed, 2 Feb 2005 10:18:58 +1100 (EST)

On Tue, 1 Feb 2005, David Douthitt wrote:

On Mon, 2005-01-31 at 17:50, Tim Nelson wrote:
On Mon, 31 Jan 2005 address@hidden wrote:

Ask youself *why* you don't want to open your firewall.

        It's all a matter of exposure.  The firewall in this case was a
Smoothwall (Linux firewall) machine (slightly modified).  IIRC, it had no
open ports, so the only vulnerabilities in it, if I understand, would be
TCP/IP attacks (or possibly iptables) on Linux.  And if they allow
compromise, I'm in big trouble :).

Actually, there were iptables vulnerabilities found a while back.  But
recent kernels don't have that.

There - don't you feel better now?  ;-)

        I think I remember that one :).

        I agree, usually pull is better, but I prefer push going from a
(supposedly) higher security zone to a lower security zone.

I agree.  In the last setup I had, I used an internal cfengine server to
handle internal traffic, and made the occasional push to an external
server on the DMZ.

The biggest problem I had was that everything was different between the
internal and external servers, right down to the IP network and netmask
and router and everything.  Made it hard to segregate the files apart,
and made for a LOT of duplication in the conf files.

        ..hence my use of Perl templating :).

--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne, Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: address@hidden
http://www.webalive.biz/

"Your Business, Your Web, Your Control"




reply via email to

[Prev in Thread] Current Thread [Next in Thread]