On 31-07-2014 14:47, Zach Leslie wrote: > I'm a Puppet user for more than just firewall systems, which allows me > to take a given node, say another server, and insert its IP into a table > on the firewall, completely dynamicly without having to statically set > the IPs in pf.conf. There are lots of interesting things you can do > with Puppet that allow you build dynamic tables based on the > classification of other systems in your environment. You can read a table from a file and you can also dynamically manage it using pfctl. I use fail2ban on OpenBSD and it adds/removes ip's from a pf table to ban/unban the offenders. All I said is that these devops tools must be used, when needed of course, but with knowledge of what is happening under the hood. But that is not what is happening. More and more these tools are misused leaving the security of the systems all in the hands of the "recipes". I think that for a very sensitive server which is a firewall, you need have absolute control of what is happening, after all, all the other machines on the network depend on it. I've tested and used all these tools, chef, puppet, ansible, juju, etc. For rapid deployment of dev/staging/production environments, they shine at their most. Just don't think that for a pair of carp firewalls they're needed, let alone advised.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
