[openstack-dev] [tripleo][pre] removing default ssh rule from tripleo::firewall::pre
Lars Kellogg-Stedman
lars at redhat.com
Fri Jul 13 02:17:25 UTC 2018
I've had a few operators complain about the permissive rule tripleo
creates for ssh. The current alternatives seems to be to either disable
tripleo firewall management completely, or move from the default-deny
model to a set of rules that include higher-priority blacklist rules
for ssh traffic.
I've just submitted a pair of reviews [1] that (a) remove the default
"allow ssh from everywhere" rule in tripleo::firewall:pre and (b) add
a DefaultFirewallRules parameter to the tripleo-firewall service.
The default value for this new parameter is the same rule that was
previously in tripleo::firewall::pre, but now it can be replaced by an
operator as part of the deployment configuration.
For example, a deployment can include:
parameter_defaults:
DefaultFirewallRules:
tripleo.tripleo_firewall.firewall_rules:
'003 allow ssh from internal networks':
source: '172.16.0.0/22'
proto: 'tcp'
dport: 22
'003 allow ssh from bastion host':
source: '192.168.1.10'
proto: 'tcp'
dport: 22
[1] https://review.openstack.org/#/q/topic:feature/firewall%20(status:open%20OR%20status:merged)
--
Lars Kellogg-Stedman <lars at redhat.com> | larsks @ {irc,twitter,github}
http://blog.oddbit.com/ |
More information about the OpenStack-dev
mailing list