[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld
Jean-Philippe Evrard
jean-philippe at evrard.me
Thu Jul 27 06:31:58 UTC 2017
Hello,
A few additions for/against firewalld, linked to ansible's firewalld
module: http://docs.ansible.com/ansible/latest/firewalld_module.html
+:
The module is built-in, so no need to ship it. It provides idempotency, and
is easy to use.
-:
The module is: "Not tested on any Debian based system.
Requires the python2 bindings of firewalld, which may not be installed by
default if the distribution switched to python 3".
My take:
For ppl who aren't iptables experts, firewalld module brings a lot of
readability.
If we are doing the tasks equivalent with iptables, the readability will be
brought in by variables (I mean variables to list ports_to_open are fairly
easy to understand).
I am myself preferring to always use modules, and so, use the firewalld
module (because it's already upstream, less tasks and therefore less error
prone).
However, that would mean that we improve the module itself to grant what we
need: Real ubuntu and python3 support.
Maybe it's a crusade that nobody wants to partake in, and using iptables
would mean a path to least resistance, therefore easier to ship.
On top of it, if it's more a hassle to use the module due to complex rules
(do we even need that?), I'd understand the move to iptables management. Is
there already a role to handle this?
Best regards,
JP
On Wed, Jul 26, 2017 at 3:59 PM, Major Hayden <major at mhtx.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hey there,
>
> I'm working through some drafts of a spec[0] (rendered[1]) that aims to
> deploy software firewalls within an OpenStack-Ansible deployment. The goal
> is to increase security by restricting lateral movement.
>
> One of the questions that was raised was the method for managing firewall
> rules. The spec lays out a plan for firewalld since it is available in the
> supported operating systems (Ubuntu 16.04, CentOS 7, OpenSUSE 42.x) and it
> allows us to control IPv4/IPv6 rules in the same place.
>
> However, Logan makes a good point about using a jinja template to write
> firewall rules to a file and load that via normal iptables service
> mechanisms. I definitely see merit to that approach, too.
>
> I'd really like feedback from developers/operators of OpenStack-Ansible to
> determine the best method to proceed. Here's what I've come up with so far:
>
> firewalld advantages
> - --------------------
> 1) Available in all distributions we support
> 2) Provides simple commands to interface with firewall rules
> 3) Manages IPv4/IPv6 iptables rules at the same time
>
> firewalld disadvantages
> - -----------------------
> 1) Different distributions have different base rule sets
> 2) Medium/High complexity rules require --direct, which is like using
> iptables anyway
> 3) It's another daemon to manage/monitor
> 4) We wouldn't be able to use firewalld's "zones" very heavily
> 5) Saving/restoring iptables rules is battle-tested already
>
>
> [0] https://review.openstack.org/#/c/479415/
> [1] http://docs-draft.openstack.org/15/479415/5/check/gate-
> openstack-ansible-specs-docs-ubuntu-xenial/6a50e01//doc/
> build/html/specs/pike/software-firewall.html
>
> - --
> Major Hayden
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAll4rkwACgkQc3BR4MEB
> H7G3ThAAkYfAGPThoaLK+a+xSZjQrrDYo3T2Q8h/nCVdSbXU1npfv0wnIUcpezH7
> a2bq4tSOX53tupUtvtMXK1VzSh5zQbohewfndmAOpwH8yNJ6UdnBjTfNXbs1WU05
> ke6X/RIvkNEKO4q5RvO3hbgKFKtLFdDVWRa7m6ORM2UaN2QXRrr85Cs0GrS0wWJq
> XDLVf5277VPXiobntUkdSdVAHfPX0QULMUBxSbnhAjGhLWfZnGiyInntHAu0rGqj
> xhkZNT3wuEMmorbIfUkY1NhjWJyy5LyjCar+hpJKRz/pNlFiOiF36Ps4PLNBW06P
> IwL3IbTkOwI6KPffFBqmMYb2AHsbqpnwxjBjoUQv1YvW55IZn3EliUY0t05JBFZ0
> N4EDNplyX9UhEQdFQrKHkOjCzADuuI/nnngfsZiCziiU068mRYIp4S3phj6QiOZP
> bHdjQDUx3X7rk1s6i7SdLPxPYNPxEs6wipXzofjB4STwDYqFKmpSNOTecLVN64PE
> H1bmt/lOfSpl05jjwhk8Jaxd0RgMAM2a7pA7nsTpFqRG4v7VaucewGaCRypCvAUD
> JiuQ+RYCNifEBb8nX6lx8TnJLCzaFK4xZuEdpBqGCwKaXRYUqdS+W2bRPqRY6EmF
> 5jYN1d2U0rxyYmQ1cH921VQPhA8K142FoUgq+oqiaH/8cqeWr9o=
> =lwtm
> -----END PGP SIGNATURE-----
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170727/0d139573/attachment.html>
More information about the OpenStack-dev
mailing list