Le vendredi 15 juin 2018 à 18:35 +0200, Michael Scherer a écrit : > Le mardi 13 mars 2018 à 17:22 +0100, Michael Scherer a écrit : > > Hi, > > > > So, I have been working on tightening the internal network of the > > gluster community cage part of the world, e.g., all the servers in > > *.int.rht.gluster.org. That's mostly internal infra servers, and > > newer > > non cloud builder, but I plan to later also move gerrit/jenkins and > > various servers. > > > > The goal is to reduce IP v4 usage (cause that's limited), and > > increase > > security (no direct access to attack, and more difficult to later > > exploit in case of compromission). > > > > > > That's mostly non impacting people (or I would have asked for > > maintainance windows) but I just switched all servers in the > > internal > > network to use the firewall (masamune.rht.gluster.org) as a gateway > > rather than IT firewall, so if anything is broken on a > > *.int.rht.gluster.org server, please tell me and I will look. > > > > Everything is in HA, and I have done several tests and reboot > > during > > the day without trouble. In fact, more than half of the servers > > were > > using that. > > > > Right now, the firewall is not yet blocking anything, but that's > > planned, server by server. > > > > Next steps are to prevent direct internet access (so start to use > > the > > firewall), and provides both a web proxy and a dns server, so we > > can > > log and control what is going on. > > So I made some progress here (after a rather hectic week, my fault > for > not staying in vacation): > > - we have now 2 internal DNS servers (gonna test and switch internal > builders, etc once I validate them, I will likely do them by small > batches) So the 2 DNS servers are working. I didn't yet do switch to them by default, because I want to do some setup of the disk for squid (colocated on the same VM) and may need to reinstall, but that part is done. > - I start to switch to nftables for the firewall (not enabled yet, I > will announce in advance and do that outside of working hours) Same, the testing of nftables seems to be positive. I installed another server to serve as a temporary firewall, and started to refine the rules. Still no plan to switch yet, will wait when Nigel is back. I also slowly started to use a squid proxy for controlling outgoing http connexion, and so far so good. -- Michael Scherer Sysadmin, Community Infrastructure and Platform, OSAS
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx https://lists.gluster.org/mailman/listinfo/gluster-devel