info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
firewall (team) rant
94 views
Skip to first unread message
hymie!
Oct 2, 2017, 9:41:59 AM10/2/17
to
Background -- I work for a very very large institution that I would rather
not name. The networks in $VVLI are highly segmented, and each segment
is protected by one or more firewalls, and each set of firewalls has its
own team that manages them.
I'm trying to build a new machine. We use "cobbler" to build our new
machines. As I understand it, cobbler will first PXE-boot the new
machine (requiring a DHCP IP address), and then fire up something my
boss calls "the centos pre-boot environment", which requires another
(different) DHCP IP address.
Unfortunately, my cobbler server and my new machine are on different
networks, and there is a firewall between those two networks. The team
that controls this firewall does not believe in IP ranges in general, or
DHCP in particular. So while they are willing to set up firewall access
for this machine's final (static) IP address, they will not set up the
DHCP access I need to request two semi-random DHCP IP addresses for the
purpose of building the machine.
I had the same problem with the same team when I built an LDAP server.
I told them that any machine in my 10.5.3.0/24 network, wheter or not
it exists today or will be created in the future, needs access to
this LDAP server. They said no, they need a list of specific machines
with IP addresses that currently exist, and they will allow those machines
to access the LDAP server. If and when I build a new machine, then I
should submit a new firewall-change request to allow that machine to
access the LDAP server when the time comes.
And then the "big bosses" wonder why every task takes 6-8 weeks.
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
not name. The networks in $VVLI are highly segmented, and each segment
is protected by one or more firewalls, and each set of firewalls has its
own team that manages them.
I'm trying to build a new machine. We use "cobbler" to build our new
machines. As I understand it, cobbler will first PXE-boot the new
machine (requiring a DHCP IP address), and then fire up something my
boss calls "the centos pre-boot environment", which requires another
(different) DHCP IP address.
Unfortunately, my cobbler server and my new machine are on different
networks, and there is a firewall between those two networks. The team
that controls this firewall does not believe in IP ranges in general, or
DHCP in particular. So while they are willing to set up firewall access
for this machine's final (static) IP address, they will not set up the
DHCP access I need to request two semi-random DHCP IP addresses for the
purpose of building the machine.
I had the same problem with the same team when I built an LDAP server.
I told them that any machine in my 10.5.3.0/24 network, wheter or not
it exists today or will be created in the future, needs access to
this LDAP server. They said no, they need a list of specific machines
with IP addresses that currently exist, and they will allow those machines
to access the LDAP server. If and when I build a new machine, then I
should submit a new firewall-change request to allow that machine to
access the LDAP server when the time comes.
And then the "big bosses" wonder why every task takes 6-8 weeks.
--hymie! http://lactose.homelinux.net/~hymie hy...@lactose.homelinux.net
0 new messages