CentOS - Oct 2009 - Keeping iptables in sync across multiple machines

hi,

Just wondering what people use / recommend to keep multiple machines in 
sync with their iptables policy.

What I use at the moment:

1) Puppet, to setup and manage a fairly complex per service type ruleset 
that is then maintained on the remote machines by puppet ( in that it 
brings together all the various bits of iptables snippets based on what 
manifests and roles are deployed to a machine, then builds a firewall 
locally on the mchine ). We also use something similar, but at a much 
simpler level within the .centos.org infrastructure. Problem with this 
is that unless one is familliar with the whole stack of machine 
state/policy management, its quite intimidating. Which then means that 
there is plenty of breakage, which in turn then means I need to maintain 
and run a complete set of VM's that emulate the production environment ( 
including their IP's ) and run cross VM tests before stuff gets rolled 
out. So yes, large hole and lots of potential for non-related issues to 
impact release. Some people even argue that having a release based 
workflow for firewall's is not good, I'd like to disagree :)

2) In another setup, I use puppet to basically just manage static 
/etc/sysconfig/iptables files. Pretty low tech, and very easy to cause 
damage since testing-rollout-deploy is impossible. But the other guy who 
also needs to manage these seems to find it easy.

3) Yet another setup I've used in the past was with a svn repo and using 
a post-commit hook, run some tests followed by clusterssh! to deploy the 
iptables files and restart services. Finally replaced that with a slack 
based deployment, since that allowed me to atleast run some santity 
tesing and rollback if I ended up locking 'core' host. The problem 
ofcourse was that its not easy to test remote inbound connections this 
way ( without using a proxy, but then the proxy creates another layer of 
problems and flakyness ).

4) Physically logging into machines to make policy changes(!) I do this 
for my laptop's :)

5) Using a 'git pull' from cron on a bunch of machines, and using a 
central git repository. Each machine would then do a iptables reload, 
the only advantage of this over (3) is that I can use metainfo like 
TAG's and ROLE's in the commit log's, and have only specific
machines
react to specific changes. Flip side: needing to track and build a 
knowledgebase around these TAG's meant that I almost never ever use 
this, and prefer to just have firewall policy that mostly works for the 
whole set of machines I run this on.

So, what I am looking for really is feedback on what people are using in 
the wild on multiple machines, and bonus points for people who only use 
tools and mechanisms already built into the CentOS [base] repo.

- KB

Am Freitag, den 30.10.2009, 18:42 +0100 schrieb Karanbir
Singh:
> hi,
>
> Just wondering what people use / recommend to keep multiple machines in
> sync with their iptables policy.
>
I did use fwbuilder it can create and deploy rules. For a small number
of machines it worked well for me.

Chris


financial.com AG

Munich head office/Hauptsitz M?nchen: Maria-Probst-Str. 19 | 80939 M?nchen |
Germany
Frankfurt branch office/Niederlassung Frankfurt: Messeturm |
Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany
Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr.
Yann Samson | Matthias Wiederwach
Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender)
Register court/Handelsregister: Munich ? HRB 128 972 | Sales tax ID
number/St.Nr.: DE205 370 553

Dear Karan.
...
> So, what I am looking for really is feedback on what people are using in
> the wild on multiple machines, and bonus points for people who only use
> tools and mechanisms already built into the CentOS [base] repo.
We are using Spacewalk to manage /etc/sysconfig/iptables files. The
files are version controlled with the integrated config management
tool. As SW does not (yet) support depended command execution, we are
using remote command execution through osad to reload iptables,
afterwards.

Testing could be done with Spacewalk's monitoring capabilities or
external tools.

Best Regards
Marcus

On 11/01/2009 07:51 AM, Marcus Moeller wrote:
>> So, what I am looking for really is feedback on what people are using
in
>> the wild on multiple machines, and bonus points for people who only use
>> tools and mechanisms already built into the CentOS [base] repo.
>
> We are using Spacewalk to manage /etc/sysconfig/iptables files.
isnt that just achieving a case of sending out static iptables files ?

-- 
Karanbir Singh : http://www.karan.org/  : 2522219 at icq