[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld

Mark Mielke mark.mielke at gmail.com
Thu Jul 27 10:44:17 UTC 2017

On Thu, Jul 27, 2017 at 2:31 AM, Jean-Philippe Evrard <
jean-philippe at evrard.me> wrote:
> For ppl who aren't iptables experts, firewalld module brings a lot of
> readability.
> If we are doing the tasks equivalent with iptables, the readability will
> be brought in by variables (I mean variables to list ports_to_open are
> fairly easy to understand).
> I am myself preferring to always use modules, and so, use the firewalld
> module (because it's already upstream, less tasks and therefore less error
> prone).
> However, that would mean that we improve the module itself to grant what
> we need: Real ubuntu and python3 support.
> Maybe it's a crusade that nobody wants to partake in, and using iptables
> would mean a path to least resistance, therefore easier to ship.
> On top of it, if it's more a hassle to use the module due to complex rules
> (do we even need that?), I'd understand the move to iptables management. Is
> there already a role to handle this?

I have been thinking about nftables for our use cases. iptables is (slowly)
on its way out. firewalld does provide some abstraction from this, in that
firewalld could provide an interface to translate from iptables to nftables
without application changes. But, I am concerned that firewalld is not
sophisticated enough to meet requirements, and I am hesitant to really
invest in it if it is too simple for requirements.

Just some food for thought I had to offer...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20170727/056514f7/attachment.html>

More information about the OpenStack-dev mailing list