In my previous job we had to build a firewall solution for our OpenStack control plane. Our research found that firewalld may have a habit of 'fighting' against the rules added by certain OpenStack services. This was over a year ago, so things may have changed. We didn't pursue firewalld as a solution, so perhaps these issues are non-existent or surmountable.
The solution we built used a conf.d/ mechanism layered on top of iptables. An advantage of this approach is that operators or co-resident software stacks could add their own rules to the firewall. AFAIK, this is not generally possible when using iptables-save/restore as it relies on a single configuration file which must be 'owned' by something - in this case presumably OSA. I'm not suggesting that you reimplement the solution I've described, but it does outline one benefit of firewalld - OSA would not need to entirely own the firewall configuration. On 28 July 2017 at 07:49, Markos Chandras <mchand...@suse.de> wrote: > On 07/26/2017 05:59 PM, Major Hayden wrote: > > > > firewalld disadvantages > > ----------------------- > > 1) Different distributions have different base rule sets > > Also different distributions offer different version of firewalld which > means different behavior and possibly bugs between them. The Ansible > module may not always 'mask' such things we either going to spend time > improving the module or workaround all these in our playbooks. Improving > the upstream module of course is a good thing but I just wanted to point > out the maintenance cost of that. > > > 2) Medium/High complexity rules require --direct, which is like using > iptables anyway > > 3) It's another daemon to manage/monitor > > 4) We wouldn't be able to use firewalld's "zones" very heavily > > 5) Saving/restoring iptables rules is battle-tested already > > I am slightly in favor of iptables (or even nftables) mostly because > they provide a stable known interface which can work for simple and > complex rules. As your 2nd point above correctly states, if we start > using the 'direct' rule feature of firewalld, then we will end up having > a mixture of pure firewalld and iptables rules which may not be the > cleaner option in terms of maintainability. > > -- > markos > > SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton > HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev