On Thu, Jul 31, 2014 at 05:54:48PM -0300, Giancarlo Razzolini wrote: > On 31-07-2014 14:47, Zach Leslie wrote: > > I'm a Puppet user for more than just firewall systems, which allows > > me > > to take a given node, say another server, and insert its IP into a > > table > > on the firewall, completely dynamicly without having to statically > > set > > the IPs in pf.conf. There are lots of interesting things you can do > > with Puppet that allow you build dynamic tables based on the > > classification of other systems in your environment. > You can read a table from a file and you can also dynamically manage > it > using pfctl. I use fail2ban on OpenBSD and it adds/removes ip's from a > pf table to ban/unban the offenders.
Yes, and Puppet can exec those commands for you. Tools like fail2ban can manage the local system's table, but can't (to my knowledge) distribute the contents of that table to other systems in the environment dynamically. PuppetDB gives you this and more. > All I said is that these devops tools must be used, when needed of > course, but with knowledge of what is happening under the hood. But > that is not what is happening. More and more these tools are misused > leaving the security of the systems all in the hands of the "recipes". > I think that for a very sensitive server which is a firewall, you need > have absolute control of what is happening, after all, all the other > machines on the network depend on it. I've tested and used all these > tools, chef, puppet, ansible, juju, etc. For rapid deployment of > dev/staging/production environments, they shine at their most. Just > don't think that for a pair of carp firewalls they're needed, let > alone advised. I hear you that people should be competent in what they are doing. Configuration management tools, like Puppet, can quickly abstract knowledge of a particular technology away from the user and isolate understanding for said technology to a smaller group of people with those skills. This is the nature of technology, though, is it not? Abstractions built on abstractions, packages including libraries, etc. There is an inherent trust in the tools and, more importantly, the authors of those tools. This does not mean that the "recipes" (as you put it) are inherently bad, or manage a system poorly, or that great care cannot be taken to manage a system effectively, and securely. Ha, but there is also lots of bad code in the world. Such is life. The trust in a system's authors is one of the major reasons I use OpenBSD in critical infrastructure without having to know anything about how the compiler functions at its core. Without this trust, we'd still be smacking coconuts against rocks instead of building bridges to the "UberTech", so to speak. In any case, not all tools solve all problems, so for the OP, sure SCP or whatever also works. I'd advise some revision control. Regards, -- Zach [demime 1.01d removed an attachment of type application/pgp-signature]
