Hi, Bit of a conceptual question:
We are running the cfengine policyhost on a box that is also running Shorewall (an IP tables based firewall). At the moment Shorewall is configured to allow all connections to port 5308, and cfservd.conf has a list of valid connections in AllowConnectionsFrom.
I don't particularly want to have to maintain two lists of valid IP addresses, and at this point I am not sure I can come up with a format that both systems are happy with as a list.
The only two issues I can come up with is that if the policyhost is controlling the connections, it will report the failed connections, which might make it easier, but secondly, if I use a common list in Shorewall, I can use it for other ports (eg ssh) as well.
I guess using the firewall will be more secure, and there may be a performance benefit as cfengine isn't having to fork a new process to check every connection.
Is there anyone out there who has faced the same situation? Regards, Marco van Beek _______________________________________________ Help-cfengine mailing list Help-cfengine@gnu.org http://lists.gnu.org/mailman/listinfo/help-cfengine
