[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld

Major Hayden major at mhtx.net
Wed Aug 2 20:47:32 UTC 2017

On 08/02/2017 03:57 AM, Mark Goddard wrote:
> The solution we built used a conf.d/ mechanism layered on top of iptables. An advantage of this approach is that operators or co-resident software stacks could add their own rules to the firewall. AFAIK, this is not generally possible when using iptables-save/restore as it relies on a single configuration file which must be 'owned' by something - in this case presumably OSA.
> I'm not suggesting that you reimplement the solution I've described, but it does outline one benefit of firewalld - OSA would not need to entirely own the firewall configuration.

Thanks for the feedback!  I'm leaning away from firewalld now and looking at something a little simpler with iptables.

During a recent IRC meeting someone brought up ferm[0]. They have several examples, but the workstation[1] one makes some sense. It would be fairly easy to template the ferm DSL files.

[0] http://ferm.foo-projects.org/
[1] http://ferm.foo-projects.org/download/examples/webserver.ferm

Major Hayden

More information about the OpenStack-dev mailing list