[openstack-dev] [tripleo][pre] removing default ssh rule from tripleo::firewall::pre

Lars Kellogg-Stedman lars at redhat.com
Fri Jul 13 02:17:25 UTC 2018


I've had a few operators complain about the permissive rule tripleo
creates for ssh.  The current alternatives seems to be to either disable
tripleo firewall management completely, or move from the default-deny
model to a set of rules that include higher-priority blacklist rules
for ssh traffic.

I've just submitted a pair of reviews [1] that (a) remove the default
"allow ssh from everywhere" rule in tripleo::firewall:pre and (b) add
a DefaultFirewallRules parameter to the tripleo-firewall service.

The default value for this new parameter is the same rule that was
previously in tripleo::firewall::pre, but now it can be replaced by an
operator as part of the deployment configuration.

For example, a deployment can include:

    parameter_defaults:
      DefaultFirewallRules:
        tripleo.tripleo_firewall.firewall_rules:
          '003 allow ssh from internal networks':
            source: '172.16.0.0/22'
            proto: 'tcp'
            dport: 22
          '003 allow ssh from bastion host':
            source: '192.168.1.10'
            proto: 'tcp'
            dport: 22

[1] https://review.openstack.org/#/q/topic:feature/firewall%20(status:open%20OR%20status:merged)

-- 
Lars Kellogg-Stedman <lars at redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/                |



More information about the OpenStack-dev mailing list