[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: running cfengine across firewall
|
From: |
Tim Nelson |
|
Subject: |
Re: running cfengine across firewall |
|
Date: |
Wed, 2 Feb 2005 10:18:58 +1100 (EST) |
On Tue, 1 Feb 2005, David Douthitt wrote:
On Mon, 2005-01-31 at 17:50, Tim Nelson wrote:
On Mon, 31 Jan 2005 Mark.Burgess@iu.hio.no wrote:
Ask youself *why* you don't want to open your firewall.
It's all a matter of exposure. The firewall in this case was a
Smoothwall (Linux firewall) machine (slightly modified). IIRC, it had no
open ports, so the only vulnerabilities in it, if I understand, would be
TCP/IP attacks (or possibly iptables) on Linux. And if they allow
compromise, I'm in big trouble :).
Actually, there were iptables vulnerabilities found a while back. But
recent kernels don't have that.
There - don't you feel better now? ;-)
I think I remember that one :).
I agree, usually pull is better, but I prefer push going from a
(supposedly) higher security zone to a lower security zone.
I agree. In the last setup I had, I used an internal cfengine server to
handle internal traffic, and made the occasional push to an external
server on the DMZ.
The biggest problem I had was that everything was different between the
internal and external servers, right down to the IP network and netmask
and router and everything. Made it hard to segregate the files apart,
and made for a LOT of duplication in the conf files.
..hence my use of Perl templating :).
--
Tim Nelson
Server Administrator
WebAlive Technologies Global
Level 1 Innovation Building, Digital Harbour
1010 LaTrobe Street
Docklands, Melbourne,
Vic, 3008
Phone: +61 3 9934 0812
Fax: +61 3 9934 0899
E-mail: tim.nelson@webalive.biz
http://www.webalive.biz/
"Your Business, Your Web, Your Control"