A couple of meetings ago someone mentioned the tool pyroman[0] in regard to
managing the firewalls on our infrastructure. Since then, I've been playing
around with this tool, and have been fairly impressed.
I've imported pyroman 0.3 along with a _basic_ Fedora infrastructure profile
into cvs. I've added all of our PHX machines listed on InfrastructurePrivate,
and added some other minor tweaks. It's not 100% ready for deployment yet,
it still needs:
o to allow traffic to most services on our machines
o profiles for our machines at Duke
o to be compared against our current rc.firewall script
- I've ported over most of it (the stuff I could actually
understand), but there might be some stuff I missed
o LOTS of testing
The more testing and the more eyes we can get on this, the better. You should
be able to hop on any machine and check it out of cvs:
cvs -d cvs-int.fedora.phx.redhat.com:/cvs/fedora co pyroman
>From here, you can run `./pyroman --dump`, which will spit out all of the
chains instead of just trying to load them.
Hack away, infrastructure ninjas!
luke
[0]: http://pyroman.alioth.debian.org
