openstack/tripleo-docs
Code Issues Proposed changes

Update features guide for firewall management

Browse Source 
This change updates our filewall management docs to reflect the current
process to manage filewall rules.

Change-Id: I71a9e2a841b84a1a4e98a5ab4d5ab2d2b84f8572
Signed-off-by: Kevin Carter <kecarter@redhat.com>
This commit is contained in:
Kevin Carter 2020-05-28 15:11:51 -05:00
parent bf4a63b6a8
commit e710bbb57b
1 changed files with 42 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
deploy-guide/source/features/security_hardening.rst
View File

@ -136,13 +136,14 @@ Rules can be declared using an environment file and injected into
Firewall Management
-------------------
iptables rules are automatically deployed on overcloud nodes to open only the
Iptables rules are automatically deployed on overcloud nodes to open only the
ports which are needed to get OpenStack working. Rules can be added during the
deployement when is needed. For example, for Zabbix monitoring system::
deployment when needed. For example, for Zabbix monitoring system.
.. code-block:: yaml
parameter_defaults:
ControllerExtraConfig:
tripleo::firewall::firewall_rules:
ExtraFirewallRules:
'301 allow zabbix':
dport: 10050
proto: tcp
@ -151,64 +152,54 @@ deployement when is needed. For example, for Zabbix monitoring system::
Rules can also be used to restrict access. The number used at definition of a
rule will determine where the iptables rule will be inserted. For example,
rabbitmq rule number is 109 by default. If you want to restrain it, you can do::
rabbitmq rule number is 109 by default. If you want to restrain it, you could
do.
.. code-block:: yaml
parameter_defaults:
ControllerExtraConfig:
tripleo::firewall::firewall_rules:
ExtraFirewallRules:
'098 allow rabbit from internalapi network':
dport: [4369,5672,25672]
dport:
- 4369
- 5672
- 25672
proto: tcp
source: 10.0.0.0/24
action: accept
'099 drop other rabbit access':
dport: [4369,5672,25672]
dport:
- 4369
- 5672
- 25672
proto: tcp
action: drop
In this example, 098 and 099 are arbitrarily chosen numbers that are smaller than
the rabbitmq rule number 109. To know the number of a rule, you can inspect
the iptables rule on the appropriate node (controller, in case of rabbitmq)::
In this example, 098 and 099 are arbitrarily numbers that are smaller than the
default rabbitmq rule number. To know the number of a rule, inspect the active
iptables rules on an appropriate node (controller, in case of rabbitmq)
.. code-block:: shell
iptables-save
[...]
-A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
Alternatively it's possible to get the information in tripleo service in the
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`::
definition. In our case in `deployment/rabbitmq/rabbitmq-container-puppet.yaml`.
tripleo.rabbitmq.firewall_rules:
.. code-block:: yaml
firewall_rules:
'109 rabbitmq':
dport:
- 4369
- 5672
- 25672
- 25673-25683
The following parameters can be set for a rule:
* **port**: The port associated to the rule. Deprecated by puppetlabs-firewall.
* **dport**: The destination port associated to the rule.
* **sport**: The source port associated to the rule.
* **proto**: The protocol associated to the rule. Defaults to 'tcp'
* **action**: The action policy associated to the rule. Defaults to 'accept'
* **jump**: The chain to jump to.
* **state**: Array of states associated to the rule. Default to ['NEW']
* **source**: The source IP address associated to the rule.
* **iniface**: The network interface associated to the rule.
* **chain**: The chain associated to the rule. Default to 'INPUT'
* **destination**: The destination cidr associated to the rule.
* **extras**: Hash of any additional parameters supported by the puppetlabs-firewall module.
Additional information regarding the the available interface options, the role,
some of the implementation details can be reviewed `here <https://docs.openstack.org/tripleo-ansible/latest/roles/role-tripleo_firewall.html>`_.
AIDE - Intrusion Detection
--------------------------