[openstack-dev] FWaaS iptables implementation
Miyashita, Kazuhiro
miyakz at jp.fujitsu.com
Mon Mar 30 08:58:21 UTC 2015
Hi,
I want to ask about FWaaS iptables rule implementation.
firewall rule are deployed as iptables rules in network node , and ACCEPT target is set at second rule(*).
----
Chain neutron-l3-agent-iv431d7bfbc (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED (*)
0 0 neutron-l3-agent-liA31d7bfbc tcp -- * * 172.16.2.0/23 1.2.3.4 tcp spts:1025:65535 dpt:80
0 0 neutron-l3-agent-liA31d7bfbc tcp -- * * 172.16.6.0/24 1.2.3.4 tcp spts:1025:65535 dpt:80
0 0 neutron-l3-agent-liA31d7bfbc tcp -- * * 1.2.3.4 172.16.14.0/24 tcp spts:1025:65535 dpt:11051
0 0 neutron-l3-agent-liA31d7bfbc tcp -- * * 10.3.0.0/24 1.2.3.4 tcp spts:1025:65535 dpt:22
0 0 neutron-l3-agent-liD31d7bfbc all -- * * 0.0.0.0/0 0.0.0.0/0
----
Why is ACCEPT rule set at second in iptables rule. Performance reason(ICMP or other protocol such as UDP/TCP)?
This causes some wrong scenario for example...
[outside openstack cloud] ---> Firewall(FWaaS) --> [inside openstack cloud]
1) admin create Firewall and create Filrewall rule accepting ICMP request from outside openstack cloud, and
2) ICMP request packets incoming from outside to inside, and
3) someday, admin detects that ICMP rule is security vulnerability and create Firewall rule blocking ICMP request from outside.
but ICMP request packets still incoming due to ACCEPT rule(*), because ICMP connection still hit rule at second(*).
Thanks.
kazuhiro MIYASHITA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150330/a8c1f58d/attachment.html>
More information about the OpenStack-dev
mailing list