Third time is a charm, two bounces...
Inline below (yeah, not pretty).
-Tim
>
> ---------- Forwarded message ----------
> From: Damiano Verzulli <dami...@verzulli.it>
> To: shorewall-users@lists.sourceforge.net
> Cc:
> Bcc:
> Date: Sun, 25 Feb 2018 00:29:13 +0100
> Subject: Re: [Shorewall-users] Restricting intra-LAN traffic
> On 23/02/2018 18:34, Tim S wrote:
>> [...]
>> If you do run out, simply
>> spawning another Shorewall VM and trunking the policy pools between
>> Shorewall VMs takes care of that.
>
> Hi Tim,
>
> could you slightly elaborate on the above point?
>
> I mean: the policy-pooling (that, as far as I understand, is required to
> "sync" shorewall configuration), is something you achieve by some
> shorewall-supported utilities/approaches?
>
> Or is something you self-implemented with "automation" (externally to
> shorewall, I mean)?
>
This is something that I didn not do using Shorewall utilities, it
necessitated using external tools as Shorewall is in general not aware
of anything regarding what it's deployed on other than the interfaces
it can see. I use a virtual switch at the VM host level, every
"policy" gets its own isolated network, no VLANs to strip.
To spawn a Shorewall VM with the same policies as another (and so many
policies/rules), what I did is to make the configuration directory an
NFS object, and read-only sym-link the config files to that NFS.
There is an NFS for each control-point. Modifying a configuration
file and writing to the NFS triggers a script on the active VMs (which
monitor file write time) to refresh the configuration.
Another upstream Shorewall instance sits before each service to again
fork and filter traffic, and another Shorewall instance sits between
the internet-bound traffic and the modem pools.
Try to imagine in your mind that every service has its own Shorewall
with a wire for each permitted action going to only the devices and
networks that require that service. It's about as close to
air-gapping a service as I can get with consolidated hardware.
I heavily use the virtual networking to pool redundant services, and
have multiple technology side-band (it's actually RS-232 serial
networking and Infiniband) doing the High Availability work. Each
host has a clone of the other host's VMs running as inactive
transparent memory sync (a lightly modified rsync) doing per-second
diffs of the VM. If the VM dies, the normal HA handlers discover
that, and the rsync'd mirror goes active.
Each host can also monitor the health of the other, so if the entire
host drops out the same take up of that now dead host can occur.
I admit, this took months to get right, and I reserve the right to
correctly remember and alter reported details sometime in the future,
which I might have figured out at 3AM after the 50th cup of coffee
that night ;-).
>
>> [...]
>> I have two Shorewall VMs, and two stacked
>> 48-port switches Each switch has a 10Gbe uplink to each of two of my
>> VM hosts for redundancy, and one Shorewall VM is on each VM host. The
>> VM hosts are trunked with redundant isolated Infiniband networks.
>> This way single point of failure does not mean I lose a chunk of my
>> network, or any of my services. I had to go this way when my wife's
>> tolerance for network outage dropped to zero, even for patching.
>
> Can you add something regarding "connection tracking"?
>
> I mean, if your setup is providing 100% availability (in "single-failure"
> scenarios) I've some trouble in figuring out how you're replicating
> connection-tracking between the two shorewall nodes, so that should one of
> them go down, the other will be able to continue handling existing
> connections (in addition to new ones, obviously).
>
> I'm asking 'cause as my wife is "much inline" with yours (in terms of
> "network availability requirements") I'm _REALLY_ interested in "100%
> network firewalling availability" (shorewall-based, obviously!) :-)
>
> Jokes aside: you really described an amazing infrastructure! Thanks for
> reporting it here.
>
> Cheers,
> DV
>
I think I may have explained this above, I run a clone of any VM on
the other host, so if the VM dies, the other clone goes active. This
will probably result in a glitch (a single or less than a handful of
packets lost), but I'm relying on the protocols used to deal with
this.
This is not "100%" perfect no-failure of data transit networking, but
it has to be better than 3-sigma...
My next biggest project is to handle a network port failing. The
original point of having the extra 48-port switch was to be able to
put an A-B switch between each device, sending the device to either
switch. Since no-one makes a 48-to-96 A-B switch I've been designing
that myself. Control for that handled by RS-485 serial network from
each VM host.
>
>
> <mode jokes="on">
>> I have a hyper-paranoid least-privilege security design on my network.
>
> Actually you just set a new "maximum", well beyond the previous one, in the
> "paranoid-implementations" I've kept track of, up to now :-)
> </mode>
>
>
The network admins at Nvidia (I don't work there anymore) often joked
that my network was more secure than theirs, and that I should
probably put a sign on my network rack with the initials "NSA"...
>
> --
> Damiano Verzulli
> e-mail: dami...@verzulli.it
> ---
> possible?ok:while(!possible){open_mindedness++}
> ---
> "Technical people tend to fall into two categories: Specialists
> and Generalists. The Specialist learns more and more about a
> narrower and narrower field, until he eventually, in the limit,
> knows everything about nothing. The Generalist learns less and
> less about a wider and wider field, until eventually he knows
> nothing about everything." - William Stucke - AfrISPA
> http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
