[Gluster-infra] Cage internal network lock down
Michael Scherer
mscherer at redhat.com
Tue Jul 10 08:28:45 UTC 2018
Le vendredi 15 juin 2018 à 18:35 +0200, Michael Scherer a écrit :
> Le mardi 13 mars 2018 à 17:22 +0100, Michael Scherer a écrit :
> > Hi,
> >
> > So, I have been working on tightening the internal network of the
> > gluster community cage part of the world, e.g., all the servers in
> > *.int.rht.gluster.org. That's mostly internal infra servers, and
> > newer
> > non cloud builder, but I plan to later also move gerrit/jenkins and
> > various servers.
> >
> > The goal is to reduce IP v4 usage (cause that's limited), and
> > increase
> > security (no direct access to attack, and more difficult to later
> > exploit in case of compromission).
> >
> >
> > That's mostly non impacting people (or I would have asked for
> > maintainance windows) but I just switched all servers in the
> > internal
> > network to use the firewall (masamune.rht.gluster.org) as a gateway
> > rather than IT firewall, so if anything is broken on a
> > *.int.rht.gluster.org server, please tell me and I will look.
> >
> > Everything is in HA, and I have done several tests and reboot
> > during
> > the day without trouble. In fact, more than half of the servers
> > were
> > using that.
> >
> > Right now, the firewall is not yet blocking anything, but that's
> > planned, server by server.
> >
> > Next steps are to prevent direct internet access (so start to use
> > the
> > firewall), and provides both a web proxy and a dns server, so we
> > can
> > log and control what is going on.
>
> So I made some progress here (after a rather hectic week, my fault
> for
> not staying in vacation):
>
> - we have now 2 internal DNS servers (gonna test and switch internal
> builders, etc once I validate them, I will likely do them by small
> batches)
So the 2 DNS servers are working. I didn't yet do switch to them by
default, because I want to do some setup of the disk for squid
(colocated on the same VM) and may need to reinstall, but that part is
done.
> - I start to switch to nftables for the firewall (not enabled yet, I
> will announce in advance and do that outside of working hours)
Same, the testing of nftables seems to be positive. I installed another
server to serve as a temporary firewall, and started to refine the
rules. Still no plan to switch yet, will wait when Nigel is back.
I also slowly started to use a squid proxy for controlling outgoing
http connexion, and so far so good.
--
Michael Scherer
Sysadmin, Community Infrastructure and Platform, OSAS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.gluster.org/pipermail/gluster-infra/attachments/20180710/b95d2d6f/attachment.sig>
More information about the Gluster-infra
mailing list