help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NAT, and appliances...

From: Adam M. Dunn
Subject: Re: NAT, and appliances...
Date: Mon, 28 Nov 2005 10:31:24 -0600 (CST) 
I've done something similar to this, so I'll chime in.  Perhaps you can
find what I did helpful.

You'll definitely run into issues, but some may are workable if you spend
the time.  A while back we got an eval cluster which used it's own NAT'ed
network internally, with the master host being the only host able to route
to our main network.  What I did was set that master server up as a
secondary policy host.  

I had a pretty normal setup where everything in /var/cfengine/masterfiles
on my main policy server is pulled to all host's /var/cfengine/inputs, but
what I needed was my new secondary policy server to recieve the 
/var/cfengine/masterfiles from my main policy server, to it's
/var/cfengine/masterfiles.  I first setup my soon to be secondary policy
server as a cfengine client on my main network.  Then I just setup a class
called DISTHOSTS (for distribution hosts) for those machine's to recieve a
fresh copy of this.  That way the next time my remote master runs, it can
also act like a policy server to it's NAT'ed clients.  Think of it as 
router hops.  My policy files from my main policy server are pulled to
secondary policy server, and the NAT'ed clients pull their policies
from my secondary master since it is on their network.

Anyway, I did all that INSIDE a firewalled LAN.  Since it sounds like you
are wanting this over a WAN, I would be very careful.  Personally, if I
have to open ANY internal host to the outside world I see that as putting
it in the DMZ.  And I stick to the philosophy that nothing in the DMZ
should talk to the internal network, although the internal network can
talk to the DMZ systems (via a push mechanism which cfengine isn't).  I
think cfengine is nice and very secure, but when it comes to the internal
network, I don't trust anything.  At the very least, you could probably do
something like what I did using Cfengine to initiate a VPN connection to
push it's policies to the secondary masters on the remote network.  I
haven't tried that, but it would probably work.  Hope that helps.


~Adam



On Sun, 27 Nov 2005, Steve Brorens wrote:

> I'm looking at using cfengine to manage and monitor a number of
> 'appliance' type boxes on a range of sites, but I'm concerned that I may
> have probelms with NAT and DNS issues,
>  
> Anyone used cfengine where:
>  
>  - the managed systems are behind NAT-type firewalls
>  - DNS may be 'odd' (they're Linux systems configured onto Windows
> networks, and their DNS names might be someting like
> box.internal.acme.com or box.local or box.acme.local - conventions at
> different customers will differ
>  
> Is this likely to cause problems?
>  
> How best to avoid probs?
>  
>  - steve 
> 
> =========================================================
> 
> 
> This e-mail has been scanned for Viruses and Content and cleared by CommArc 
> Cube Server
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]