Re: [CentOS] Keeping iptables in sync across multiple machines
I remember kernel v.0.99pl13... Back then it seemed that everything Linux was version 1.0. Stuff was solid then too. I had one crash in four years. Comparing with Windows 3.1, 3.2, etc., I was almost thinking that any software version higher than 1.0 couldn't be any good. (And so we all learn and learn.) From: Curt Mills hac...@fluke.com To: CentOS mailing list centos@centos.org Date: 11/02/2009 01:11 PM Subject: Re: [CentOS] Keeping iptables in sync across multiple machines Sent by: centos-boun...@centos.org On Mon, 2 Nov 2009, Bowie Bailey wrote: mark wrote: *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). True. Anyone remember this one? 0.99pl92 That's a linux kernel from the time when Linus just would _not_ bump it up to v1.0 and move on. He stayed with 0.99 versions for a lonnng time. -- Curt Mills, WE7U hacker at fluke dot com Senior Methods Engineer/SysAdmin Lotto: A tax on people who are bad at math. -- unknown Windows: Microsoft's tax on computer illiterates. -- WE7U The world DOES revolve around me: I picked the coordinate system! Please be advised that this email may contain confidential information. If you are not the intended recipient, please do not read, copy or re-transmit this email. If you have received this email in error, please notify us by email by replying to the sender and by telephone (call us collect at +1 202-828-0850) and delete this message and any attachments. Thank you in advance for your cooperation and assistance. In addition, Danaher and its subsidiaries disclaim that the content of this email constitutes an offer to enter into, or the acceptance of, any contract or agreement or any amendment thereto; provided that the foregoing disclaimer does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment to this email. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
mark wrote: So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards. snip So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April. *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. At work, we're getting pressure to provide all kinds of info and control on what's on the servers and desktops (we're heavy tech - a lot of our users are on Linux), and he just brought up OCS Inventory. He said it took him about 5 min (sounded more like half an hour, actually), and though there are a number of things - docs not great, and the translations leave something to be desired (it from the French), I'm impressed. It's a *lot* slicker, a lot more finished, and easier to install and configure, it seems, than Spacewalk, which took me *many* weeks to install, configure, and get working correctly. OCS Inventory *looks* (I've only played with it for an hour or two) as though I can build scripts for it to run, to install, upgrade, etc, remote systems. OCS inventory is indeed nice and works across several platforms. However it is not going to build a system from scratch for you and it doesn't give you fine-grained control (or much at all) over the timing of when remote commands or package installs will happen after you've scheduled them. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
mark wrote: *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). For example, the Courier mail server, which I've had in production for the past several years, is currently at version 0.63.0. I think it is much more important to look at the age of the product, the amount of development activity, and the size of the user community. -- Bowie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
mark wrote: *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). For example, the Courier mail server, which I've had in production for the past several years, is currently at version 0.63.0. I think it is much more important to look at the age of the product, the amount of development activity, and the size of the user community. Even so And, as I mentioned, it was a nightmare trying to install, configure, and get working. *bleah* And yes, I found that there was a fix to one major problem that they did *not* know (in the Oracle interface, you have to bring the shared and global memory up almost to the limit. Mentioned that on the Spacewalk list, too: dunno if it went into their docs.) mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
On Mon, 2 Nov 2009, Bowie Bailey wrote: mark wrote: *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. Keep in mind that version numbers are often fairly arbitrary (esp. on open source projects). True. Anyone remember this one? 0.99pl92 That's a linux kernel from the time when Linus just would _not_ bump it up to v1.0 and move on. He stayed with 0.99 versions for a lonnng time. -- Curt Mills, WE7U hacker at fluke dot com Senior Methods Engineer/SysAdmin Lotto: A tax on people who are bad at math. -- unknown Windows: Microsoft's tax on computer illiterates. -- WE7U The world DOES revolve around me: I picked the coordinate system! Please be advised that this email may contain confidential information. If you are not the intended recipient, please do not read, copy or re-transmit this email. If you have received this email in error, please notify us by email by replying to the sender and by telephone (call us collect at +1 202-828-0850) and delete this message and any attachments. Thank you in advance for your cooperation and assistance. In addition, Danaher and its subsidiaries disclaim that the content of this email constitutes an offer to enter into, or the acceptance of, any contract or agreement or any amendment thereto; provided that the foregoing disclaimer does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment to this email. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Dear Mark, ... So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards. snip So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April. *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. 0.6 is quite okay, but we are using a standalone Oracle instead of XE. Besides that you can always buy a Satellite Server if you need a proven enterprise management system. We are using both products in our scenario. Best Regards Marcus ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Dear Mark, ... So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. The snip So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been \ released, the week before my contract ended the end of April. *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. 0.6 is quite okay, but we are using a standalone Oracle instead of XE. Ah! One good point. We used XE, which has hard limits on table size and memory. Besides that you can always buy a Satellite Server if you need a proven enterprise management system. We are using both products in our scenario. Where I was working wasn't ready to do that. But then, they didn't want to spring to keep me on. *shrug* Got a real, permanent job now. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Dear Karan. ... So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards. Testing could be done with Spacewalk's monitoring capabilities or external tools. Best Regards Marcus ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Marcus Moeller wrote: Dear Karan. ... So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. The files are version controlled with the integrated config management tool. As SW does not (yet) support depended command execution, we are using remote command execution through osad to reload iptables, afterwards. snip So, what version is Spacewalk up to? When I installed it this past spring, it was version 0.4, and I upgraded to 0.5, which had just been released, the week before my contract ended the end of April. *I* would *never* put something that was under 1.0 (actually, 1.0.1) into production. At work, we're getting pressure to provide all kinds of info and control on what's on the servers and desktops (we're heavy tech - a lot of our users are on Linux), and he just brought up OCS Inventory. He said it took him about 5 min (sounded more like half an hour, actually), and though there are a number of things - docs not great, and the translations leave something to be desired (it from the French), I'm impressed. It's a *lot* slicker, a lot more finished, and easier to install and configure, it seems, than Spacewalk, which took me *many* weeks to install, configure, and get working correctly. OCS Inventory *looks* (I've only played with it for an hour or two) as though I can build scripts for it to run, to install, upgrade, etc, remote systems. mark -- Frodo: (Gollum) deserves death! Gandalf: ...I daresay he does. Many that live deserve death. And some that die deserve life. Can you give it to them? Then do not be too eager to deal out death in judgement. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
On 11/01/2009 07:51 AM, Marcus Moeller wrote: So, what I am looking for really is feedback on what people are using in the wild on multiple machines, and bonus points for people who only use tools and mechanisms already built into the CentOS [base] repo. We are using Spacewalk to manage /etc/sysconfig/iptables files. isnt that just achieving a case of sending out static iptables files ? -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
On 10/31/2009 10:01 PM, Christoph Maser wrote: Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy. I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me. how do you achieve the actual 'distribution' of content ? -- Karanbir Singh : http://www.karan.org/ : 2522...@icq ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Am Sonntag, den 01.11.2009, 21:07 +0100 schrieb Karanbir Singh: On 10/31/2009 10:01 PM, Christoph Maser wrote: Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy. I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me. how do you achieve the actual 'distribution' of content ? It compiles shell scripts which are simply copied and launched. From the FAQ: -- 1) you can simply copy it to the firewall machine and then run it by hand; 2) you can use built-in installer and 3) you can use a shell script to copy this file to where it should be and then run it. Built-in installer uses ssh to communicate with the firewall, -- You could propably also simply commit the compiled rules to some repository and have puppet ship/execute the files. One thing i really liked about fwbuilder is that you have a central object pool for custom ports, ip addresses and networks which you can use in different firewall rulesets so if something updates you simply recomplile/distribute all firewall rules. Chris financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Keeping iptables in sync across multiple machines
Am Freitag, den 30.10.2009, 18:42 +0100 schrieb Karanbir Singh: hi, Just wondering what people use / recommend to keep multiple machines in sync with their iptables policy. I did use fwbuilder it can create and deploy rules. For a small number of machines it worked well for me. Chris financial.com AG Munich head office/Hauptsitz München: Maria-Probst-Str. 19 | 80939 München | Germany Frankfurt branch office/Niederlassung Frankfurt: Messeturm | Friedrich-Ebert-Anlage 49 | 60327 Frankfurt | Germany Management board/Vorstand: Dr. Steffen Boehnert | Dr. Alexis Eisenhofer | Dr. Yann Samson | Matthias Wiederwach Supervisory board/Aufsichtsrat: Dr. Dr. Ernst zur Linden (chairman/Vorsitzender) Register court/Handelsregister: Munich – HRB 128 972 | Sales tax ID number/St.Nr.: DE205 370 553 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
