[openstack-dev] [openstack-ansible][security] To firewalld, or not to firewalld

Markos Chandras mchandras at suse.de
Fri Jul 28 06:49:32 UTC 2017

On 07/26/2017 05:59 PM, Major Hayden wrote:
> firewalld disadvantages
> -----------------------
> 1) Different distributions have different base rule sets

Also different distributions offer different version of firewalld which
means different behavior and possibly bugs between them. The Ansible
module may not always 'mask' such things we either going to spend time
improving the module or workaround all these in our playbooks. Improving
the upstream module of course is a good thing but I just wanted to point
out the maintenance cost of that.

> 2) Medium/High complexity rules require --direct, which is like using iptables anyway
> 3) It's another daemon to manage/monitor
> 4) We wouldn't be able to use firewalld's "zones" very heavily
> 5) Saving/restoring iptables rules is battle-tested already

I am slightly in favor of iptables (or even nftables) mostly because
they provide a stable known interface which can work for simple and
complex rules. As your 2nd point above correctly states, if we start
using the 'direct' rule feature of firewalld, then we will end up having
a mixture of pure firewalld and iptables rules which may not be the
cleaner option in terms of maintainability.


SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg

More information about the OpenStack-dev mailing list