[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld
major at mhtx.net
Wed Jul 26 14:59:27 UTC 2017
-----BEGIN PGP SIGNED MESSAGE-----
I'm working through some drafts of a spec (rendered) that aims to deploy software firewalls within an OpenStack-Ansible deployment. The goal is to increase security by restricting lateral movement.
One of the questions that was raised was the method for managing firewall rules. The spec lays out a plan for firewalld since it is available in the supported operating systems (Ubuntu 16.04, CentOS 7, OpenSUSE 42.x) and it allows us to control IPv4/IPv6 rules in the same place.
However, Logan makes a good point about using a jinja template to write firewall rules to a file and load that via normal iptables service mechanisms. I definitely see merit to that approach, too.
I'd really like feedback from developers/operators of OpenStack-Ansible to determine the best method to proceed. Here's what I've come up with so far:
1) Available in all distributions we support
2) Provides simple commands to interface with firewall rules
3) Manages IPv4/IPv6 iptables rules at the same time
1) Different distributions have different base rule sets
2) Medium/High complexity rules require --direct, which is like using iptables anyway
3) It's another daemon to manage/monitor
4) We wouldn't be able to use firewalld's "zones" very heavily
5) Saving/restoring iptables rules is battle-tested already
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the OpenStack-dev