[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld

Mark Goddard mark at stackhpc.com
Wed Aug 2 08:57:00 UTC 2017

In my previous job we had to build a firewall solution for our OpenStack
control plane. Our research found that firewalld may have a habit of
'fighting' against the rules added by certain OpenStack services. This was
over a year ago, so things may have changed. We didn't pursue firewalld as
a solution, so perhaps these issues are non-existent or surmountable.

The solution we built used a conf.d/ mechanism layered on top of iptables.
An advantage of this approach is that operators or co-resident software
stacks could add their own rules to the firewall. AFAIK, this is not
generally possible when using iptables-save/restore as it relies on a
single configuration file which must be 'owned' by something - in this case
presumably OSA.

I'm not suggesting that you reimplement the solution I've described, but it
does outline one benefit of firewalld - OSA would not need to entirely own
the firewall configuration.

On 28 July 2017 at 07:49, Markos Chandras <mchandras at suse.de> wrote:

> On 07/26/2017 05:59 PM, Major Hayden wrote:
> >
> > firewalld disadvantages
> > -----------------------
> > 1) Different distributions have different base rule sets
> Also different distributions offer different version of firewalld which
> means different behavior and possibly bugs between them. The Ansible
> module may not always 'mask' such things we either going to spend time
> improving the module or workaround all these in our playbooks. Improving
> the upstream module of course is a good thing but I just wanted to point
> out the maintenance cost of that.
> > 2) Medium/High complexity rules require --direct, which is like using
> iptables anyway
> > 3) It's another daemon to manage/monitor
> > 4) We wouldn't be able to use firewalld's "zones" very heavily
> > 5) Saving/restoring iptables rules is battle-tested already
> I am slightly in favor of iptables (or even nftables) mostly because
> they provide a stable known interface which can work for simple and
> complex rules. As your 2nd point above correctly states, if we start
> using the 'direct' rule feature of firewalld, then we will end up having
> a mixture of pure firewalld and iptables rules which may not be the
> cleaner option in terms of maintainability.
> --
> markos
> SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton
> HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170802/62340a53/attachment.html>

More information about the OpenStack-dev mailing list