[openstack-dev] [TripleO] Why do we disable the firewall by default?

Ben Nemec openstack at nemebean.com
Thu May 26 20:16:22 UTC 2016

Pretty much what the subject says.  I've recently gotten several
questions from the field about why their deployments had no firewall
enabled, and discovered that although we have support built-in to enable
the firewall, we turn it off by default.  This seems like a bad default
to me, but I wanted to send something out in case there was a good
historical reason we chose to do this.

I'm also wondering about the upgrade implications of changing defaults
in Heat templates.  If we did this, would it cause the firewall to be
enabled on existing deployments when they upgraded to the new version?
That seems like a significant concern since it's quite possible users
are managing their own firewall rules (especially because we don't by
default), and they may have customizations that they won't want us
stepping on.

I've pushed a review to flip the bit on this:
https://review.openstack.org/#/c/321833 but I've set it WIP until we
have answers to the topics above.


More information about the OpenStack-dev mailing list