On 24/02/2019 09:33, Damiano Verzulli wrote:
In our main location we are running two shorewall boxes, each one connected
to an 802.1q trunk, firewalling traffic between related VLANs. In detail,
currently:
- mixer: 27 zones, related to 27 VLANs
- equalizer: 56 zones, related to 56 VLANs
[...]
So, basically, we've succesfully used shorewall connected to a 1GEth VLAN
trunk, dealing with 85 VLANs with absolutely **NO ISSUE** :-)
Holy smokes! And I thought I was playing in the big league with 11 zones
featuring several hosts per zone.
Your setup demonstrates, if need be, how Tom got Shorewall so well designed!
There are so many projects that apparently work well but show their
design flaws at scale.
P.S.: ObNox, please, could you slightly elaborate on this:
Certainly :-)
It's a long time I'm investigating LXC (to better rearrange our DMZ,
specifically), but always found problems in terms of "orchestration": how
are you managing your containers? Where are they running (in physical
HOSTs, or within VMs)? As for networking, how are you handling traffic
towards such containers and the "external" side? (DNAT/bridge/other)?
In my case, every project I work on is considered independent of others.
A project can be only one host with one domain name holding a handful of
services or several hosts with several domain names and/or projects with
logical/organizational separation holding lots of services. It's not a
big melting pot, I hate that on the principle of "do not put all your
eggs in one basket!"
I use physical hosts. One host for simple projects and a group of hosts
for bigger projects and clusters when HA is a requirement (ProxMox). In
all cases, backups make sure that any host can be quickly restored from
disasters. Mostly, this projects are internal services but some are
publicly accessible.
Shorewall is installed on each host and handles every single packet of
traffic everywhere. SNAT/DNAT is used whenever a service must reach
outside or must be reachable from outside. Everything is tightly
controlled down to each service/ip/protocol/port. Surprisingly,
Shorewall is so good that, even with all this control-freak attitude,
its configuration remains very clear and still simple to read!
If the deployed service is Linux based, it ends up in a LXC container
and if it needs another OS for any reason, I use QEMU/KVM via LibVirt.
Both, LXC and QEMU/KVM, being highly reliable! I never had any issue
(ie: random crash, bottle necks, slow downs, etc) with any of them for
more than 5 years now. They are rock solid software provided you don't
screw up the settings ;-)
Each host or hosts group get their own orchestration tool to manage
everything per host/group. I use SaltStack - https://www.saltstack.com -
in a very simple way (ie: I don't use full blown formulas but a bunch of
defined actions for day to day control).
A LXC container holds the "salt-master". The host and every LXC/VM get a
"salt-minion". From Shorewall's PoV, this is very easy to manage, the
only needed setting is the "salt-minions" being able to contact the
"salt-master". That's it! The "salt-master" does not need to reach the
"salt-minions".
For some very specific situations, I needed to simultaneously control
via Salt several independent hosts/groups at the same time. This isn't
hard to achieve because on each host/group, the "salt-master" can behave
itself as a "salt-minion" and obey commands from a "master of masters".
This is fun to watch but gets a bit humanly confusing to read as
everything is done asynchronously with batch jobs (ie: a handful of
targets per command) but it works :-)
Salt works well for me even with some flaws and drawbacks. I also use it
to dispatch configurations and SSL/TLS certs (Let's encrypt) from a
central point to all the needed services and restart/reload them when
needed.
PS: I still use a totally custom way of deploying hosts and LXC
containers. I intend to give Ansible a try to deploy the hosts from bare
metal state, but my current handcrafted script works so well and is so
adapted to my needs that I do not yet put much effort in giving Ansible
a try :-)
--
ObNox
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
