Update features guide for firewall management

This change updates our filewall management docs to reflect the current
process to manage filewall rules.

Change-Id: I71a9e2a841b84a1a4e98a5ab4d5ab2d2b84f8572
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
Kevin Carter 2020-05-28 15:11:51 -05:00
parent bf4a63b6a8
commit e710bbb57b
1 changed files with 42 additions and 51 deletions

View File

@ -136,79 +136,70 @@ Rules can be declared using an environment file and injected into
Firewall Management Firewall Management
------------------- -------------------
iptables rules are automatically deployed on overcloud nodes to open only the Iptables rules are automatically deployed on overcloud nodes to open only the
ports which are needed to get OpenStack working. Rules can be added during the ports which are needed to get OpenStack working. Rules can be added during the
deployement when is needed. For example, for Zabbix monitoring system:: deployment when needed. For example, for Zabbix monitoring system.
.. code-block:: yaml
parameter_defaults: parameter_defaults:
ControllerExtraConfig: ExtraFirewallRules:
tripleo::firewall::firewall_rules: '301 allow zabbix':
'301 allow zabbix': dport: 10050
dport: 10050 proto: tcp
proto: tcp source: 10.0.0.8
source: 10.0.0.8 action: accept
action: accept
Rules can also be used to restrict access. The number used at definition of a Rules can also be used to restrict access. The number used at definition of a
rule will determine where the iptables rule will be inserted. For example, rule will determine where the iptables rule will be inserted. For example,
rabbitmq rule number is 109 by default. If you want to restrain it, you can do:: rabbitmq rule number is 109 by default. If you want to restrain it, you could
do.
.. code-block:: yaml
parameter_defaults: parameter_defaults:
ControllerExtraConfig: ExtraFirewallRules:
tripleo::firewall::firewall_rules: '098 allow rabbit from internalapi network':
'098 allow rabbit from internalapi network': dport:
dport: [4369,5672,25672] - 4369
proto: tcp - 5672
source: 10.0.0.0/24 - 25672
action: accept proto: tcp
'099 drop other rabbit access': source: 10.0.0.0/24
dport: [4369,5672,25672] action: accept
proto: tcp '099 drop other rabbit access':
action: drop dport:
- 4369
- 5672
- 25672
proto: tcp
action: drop
In this example, 098 and 099 are arbitrarily chosen numbers that are smaller than In this example, 098 and 099 are arbitrarily numbers that are smaller than the
the rabbitmq rule number 109. To know the number of a rule, you can inspect default rabbitmq rule number. To know the number of a rule, inspect the active
the iptables rule on the appropriate node (controller, in case of rabbitmq):: iptables rules on an appropriate node (controller, in case of rabbitmq)
.. code-block:: shell
iptables-save iptables-save
[...] [...]
-A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT -A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
Alternatively it's possible to get the information in tripleo service in the Alternatively it's possible to get the information in tripleo service in the
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`:: definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.
tripleo.rabbitmq.firewall_rules: .. code-block:: yaml
firewall_rules:
'109 rabbitmq': '109 rabbitmq':
dport: dport:
- 4369 - 4369
- 5672 - 5672
- 25672 - 25672
- 25673-25683
The following parameters can be set for a rule: Additional information regarding the the available interface options, the role,
some of the implementation details can be reviewed `here <https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo_firewall.html>`_.
* **port**: The port associated to the rule. Deprecated by puppetlabs-firewall.
* **dport**: The destination port associated to the rule.
* **sport**: The source port associated to the rule.
* **proto**: The protocol associated to the rule. Defaults to 'tcp'
* **action**: The action policy associated to the rule. Defaults to 'accept'
* **jump**: The chain to jump to.
* **state**: Array of states associated to the rule. Default to ['NEW']
* **source**: The source IP address associated to the rule.
* **iniface**: The network interface associated to the rule.
* **chain**: The chain associated to the rule. Default to 'INPUT'
* **destination**: The destination cidr associated to the rule.
* **extras**: Hash of any additional parameters supported by the puppetlabs-firewall module.
AIDE - Intrusion Detection AIDE - Intrusion Detection
-------------------------- --------------------------