Update features guide for firewall management
This change updates our filewall management docs to reflect the current process to manage filewall rules. Change-Id: I71a9e2a841b84a1a4e98a5ab4d5ab2d2b84f8572 Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
parent
bf4a63b6a8
commit
e710bbb57b
@ -136,13 +136,14 @@ Rules can be declared using an environment file and injected into
|
|||||||
Firewall Management
|
Firewall Management
|
||||||
-------------------
|
-------------------
|
||||||
|
|
||||||
iptables rules are automatically deployed on overcloud nodes to open only the
|
Iptables rules are automatically deployed on overcloud nodes to open only the
|
||||||
ports which are needed to get OpenStack working. Rules can be added during the
|
ports which are needed to get OpenStack working. Rules can be added during the
|
||||||
deployement when is needed. For example, for Zabbix monitoring system::
|
deployment when needed. For example, for Zabbix monitoring system.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
ControllerExtraConfig:
|
ExtraFirewallRules:
|
||||||
tripleo::firewall::firewall_rules:
|
|
||||||
'301 allow zabbix':
|
'301 allow zabbix':
|
||||||
dport: 10050
|
dport: 10050
|
||||||
proto: tcp
|
proto: tcp
|
||||||
@ -151,64 +152,54 @@ deployement when is needed. For example, for Zabbix monitoring system::
|
|||||||
|
|
||||||
Rules can also be used to restrict access. The number used at definition of a
|
Rules can also be used to restrict access. The number used at definition of a
|
||||||
rule will determine where the iptables rule will be inserted. For example,
|
rule will determine where the iptables rule will be inserted. For example,
|
||||||
rabbitmq rule number is 109 by default. If you want to restrain it, you can do::
|
rabbitmq rule number is 109 by default. If you want to restrain it, you could
|
||||||
|
do.
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
parameter_defaults:
|
parameter_defaults:
|
||||||
ControllerExtraConfig:
|
ExtraFirewallRules:
|
||||||
tripleo::firewall::firewall_rules:
|
|
||||||
'098 allow rabbit from internalapi network':
|
'098 allow rabbit from internalapi network':
|
||||||
dport: [4369,5672,25672]
|
dport:
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
proto: tcp
|
proto: tcp
|
||||||
source: 10.0.0.0/24
|
source: 10.0.0.0/24
|
||||||
action: accept
|
action: accept
|
||||||
'099 drop other rabbit access':
|
'099 drop other rabbit access':
|
||||||
dport: [4369,5672,25672]
|
dport:
|
||||||
|
- 4369
|
||||||
|
- 5672
|
||||||
|
- 25672
|
||||||
proto: tcp
|
proto: tcp
|
||||||
action: drop
|
action: drop
|
||||||
|
|
||||||
In this example, 098 and 099 are arbitrarily chosen numbers that are smaller than
|
In this example, 098 and 099 are arbitrarily numbers that are smaller than the
|
||||||
the rabbitmq rule number 109. To know the number of a rule, you can inspect
|
default rabbitmq rule number. To know the number of a rule, inspect the active
|
||||||
the iptables rule on the appropriate node (controller, in case of rabbitmq)::
|
iptables rules on an appropriate node (controller, in case of rabbitmq)
|
||||||
|
|
||||||
|
.. code-block:: shell
|
||||||
|
|
||||||
iptables-save
|
iptables-save
|
||||||
[...]
|
[...]
|
||||||
-A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
|
-A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
|
||||||
|
|
||||||
Alternatively it's possible to get the information in tripleo service in the
|
Alternatively it's possible to get the information in tripleo service in the
|
||||||
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`::
|
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.
|
||||||
|
|
||||||
tripleo.rabbitmq.firewall_rules:
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
firewall_rules:
|
||||||
'109 rabbitmq':
|
'109 rabbitmq':
|
||||||
dport:
|
dport:
|
||||||
- 4369
|
- 4369
|
||||||
- 5672
|
- 5672
|
||||||
- 25672
|
- 25672
|
||||||
|
- 25673-25683
|
||||||
|
|
||||||
The following parameters can be set for a rule:
|
Additional information regarding the the available interface options, the role,
|
||||||
|
some of the implementation details can be reviewed `here <https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo_firewall.html>`_.
|
||||||
* **port**: The port associated to the rule. Deprecated by puppetlabs-firewall.
|
|
||||||
|
|
||||||
* **dport**: The destination port associated to the rule.
|
|
||||||
|
|
||||||
* **sport**: The source port associated to the rule.
|
|
||||||
|
|
||||||
* **proto**: The protocol associated to the rule. Defaults to 'tcp'
|
|
||||||
|
|
||||||
* **action**: The action policy associated to the rule. Defaults to 'accept'
|
|
||||||
|
|
||||||
* **jump**: The chain to jump to.
|
|
||||||
|
|
||||||
* **state**: Array of states associated to the rule. Default to ['NEW']
|
|
||||||
|
|
||||||
* **source**: The source IP address associated to the rule.
|
|
||||||
|
|
||||||
* **iniface**: The network interface associated to the rule.
|
|
||||||
|
|
||||||
* **chain**: The chain associated to the rule. Default to 'INPUT'
|
|
||||||
|
|
||||||
* **destination**: The destination cidr associated to the rule.
|
|
||||||
|
|
||||||
* **extras**: Hash of any additional parameters supported by the puppetlabs-firewall module.
|
|
||||||
|
|
||||||
AIDE - Intrusion Detection
|
AIDE - Intrusion Detection
|
||||||
--------------------------
|
--------------------------
|
||||||
|
Loading…
Reference in New Issue
Block a user