-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hey there,
I'm working through some drafts of a spec[0] (rendered[1]) that aims to deploy software firewalls within an OpenStack-Ansible deployment. The goal is to increase security by restricting lateral movement. One of the questions that was raised was the method for managing firewall rules. The spec lays out a plan for firewalld since it is available in the supported operating systems (Ubuntu 16.04, CentOS 7, OpenSUSE 42.x) and it allows us to control IPv4/IPv6 rules in the same place. However, Logan makes a good point about using a jinja template to write firewall rules to a file and load that via normal iptables service mechanisms. I definitely see merit to that approach, too. I'd really like feedback from developers/operators of OpenStack-Ansible to determine the best method to proceed. Here's what I've come up with so far: firewalld advantages - -------------------- 1) Available in all distributions we support 2) Provides simple commands to interface with firewall rules 3) Manages IPv4/IPv6 iptables rules at the same time firewalld disadvantages - ----------------------- 1) Different distributions have different base rule sets 2) Medium/High complexity rules require --direct, which is like using iptables anyway 3) It's another daemon to manage/monitor 4) We wouldn't be able to use firewalld's "zones" very heavily 5) Saving/restoring iptables rules is battle-tested already [0] https://review.openstack.org/#/c/479415/ [1] http://docs-draft.openstack.org/15/479415/5/check/gate-openstack-ansible-specs-docs-ubuntu-xenial/6a50e01//doc/build/html/specs/pike/software-firewall.html - -- Major Hayden -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEG/mSZJWWADNpjCUrc3BR4MEBH7EFAll4rkwACgkQc3BR4MEB H7G3ThAAkYfAGPThoaLK+a+xSZjQrrDYo3T2Q8h/nCVdSbXU1npfv0wnIUcpezH7 a2bq4tSOX53tupUtvtMXK1VzSh5zQbohewfndmAOpwH8yNJ6UdnBjTfNXbs1WU05 ke6X/RIvkNEKO4q5RvO3hbgKFKtLFdDVWRa7m6ORM2UaN2QXRrr85Cs0GrS0wWJq XDLVf5277VPXiobntUkdSdVAHfPX0QULMUBxSbnhAjGhLWfZnGiyInntHAu0rGqj xhkZNT3wuEMmorbIfUkY1NhjWJyy5LyjCar+hpJKRz/pNlFiOiF36Ps4PLNBW06P IwL3IbTkOwI6KPffFBqmMYb2AHsbqpnwxjBjoUQv1YvW55IZn3EliUY0t05JBFZ0 N4EDNplyX9UhEQdFQrKHkOjCzADuuI/nnngfsZiCziiU068mRYIp4S3phj6QiOZP bHdjQDUx3X7rk1s6i7SdLPxPYNPxEs6wipXzofjB4STwDYqFKmpSNOTecLVN64PE H1bmt/lOfSpl05jjwhk8Jaxd0RgMAM2a7pA7nsTpFqRG4v7VaucewGaCRypCvAUD JiuQ+RYCNifEBb8nX6lx8TnJLCzaFK4xZuEdpBqGCwKaXRYUqdS+W2bRPqRY6EmF 5jYN1d2U0rxyYmQ1cH921VQPhA8K142FoUgq+oqiaH/8cqeWr9o= =lwtm -----END PGP SIGNATURE----- __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev