[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld
major at mhtx.net
Wed Aug 2 20:47:32 UTC 2017
On 08/02/2017 03:57 AM, Mark Goddard wrote:
> The solution we built used a conf.d/ mechanism layered on top of iptables. An advantage of this approach is that operators or co-resident software stacks could add their own rules to the firewall. AFAIK, this is not generally possible when using iptables-save/restore as it relies on a single configuration file which must be 'owned' by something - in this case presumably OSA.
> I'm not suggesting that you reimplement the solution I've described, but it does outline one benefit of firewalld - OSA would not need to entirely own the firewall configuration.
Thanks for the feedback! I'm leaning away from firewalld now and looking at something a little simpler with iptables.
During a recent IRC meeting someone brought up ferm. They have several examples, but the workstation one makes some sense. It would be fairly easy to template the ferm DSL files.
More information about the OpenStack-dev