Bug 1006040

Summary: [RFE] Expand firewall configuration and information
Product: OpenShift Container Platform Reporter: dchia
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED CURRENTRELEASE QA Contact: Alex Dellapenta <adellape>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.2.0CC: adellape, baulakh, dchia, jokerman, juwu, libra-onpremise-devel, lmeyer, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-24 19:28:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description dchia 2013-09-09 20:56:32 UTC 
Description of problem:
The firewalling described in the Deployment Guide isn't very useful. I think it would more helpful to give more detailed examples like the  ones given in the OpenShift Reference Architecture document.

Specifically, [1] from http://www.redhat.com/resourcelibrary/reference-architectures/deploying-and-managing-a-private-paas-with-openshift-enterprise

[1]  7.Configure the firewall for MongoDB traffic on each BSN host to only allow traffic from
the broker hosts and the other BSN hosts, no other. Even with this traffic being restricted,
the version of MongoDB shipped with this solution is not complied with SSL support. So all
traffic is transmitted via clear text. One other option is to also implement SSH tunnels in-
between the hosts to secure the traffic even further.

bsn1:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn2:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn3:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
refarch-feedback
29
www.redhat.com
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
# service iptables save
There are different ways to open and close firewall ports on Red Hat Enterprise Linux, this
method uses lokkit, one other method is viaiptables.


Additional info:
The method pointed out from the reference arch uses iptables commands specifically not lokkit. lokkit is a very basic (almost too basic) way to configure a firewall (iptables). The method in the reference arch is much more robust and secure. I don't believe that can be achieved with lokkit. The ref arch is not only isolating ports but to specific hosts.
Comment 5 brice 2014-05-06 06:15:39 UTC 
Email from Phil Festoso:

Hi Brice,

Sorry for the long delay. Your revision reads really well. Thanks for the work. I'll copy/paste the section on iptables for the customer to review and give you their feedback as well.

For QE:

The bit that was added was the formalpara underneath the table titled "Configuring a firewall using iptables"
Comment 11 brice 2014-05-21 06:05:43 UTC 
Ok. So the info that has been added here has been wildly modified. I've taken Alex's suggestions into account, and changed up the formalpara I had initially added, and changed around the first paragraph of the topic as well.

Still not 100% sure it's all what's needed though, so I welcome any input.

Thanks, all.
Comment 13 brice 2014-09-22 03:56:01 UTC 
I had a look at this BZ again. Changes:

* Put the two formalparas into their own sections. Alex suggested it above and I think it works here.
* I checked out the manually configuring iptables bit and judging from my googling, I think the information is correct. I also extended the -(x) options to be more like their longer --(x) options, which I feel gives it a little more context.
* I do think this can work with the current context as enough, but I'm open to suggestion as to what needs to be worked on exactly.
* I changed the QA contact to Alex.

If anyone cced here has any other suggestions let me know. If not, it'd be great to get it onto QA.
Comment 16 brice 2014-09-23 04:16:36 UTC 
Luke, thanks much for the detailed information. I can see your reasoning behind it all, and I've edited the topics to pretty much suit your suggestions. I'll presume that's all you have to suggest and put this onto QA. 

For QA:
This BZ seems to have reached all of 5.2 in the Deploy Guide, but was initially adding what is now 5.2.2.
Comment 19 brice 2014-09-29 00:22:05 UTC 
Luke, thanks for the edits. Sections have been updated.
Comment 21 Alex Dellapenta 2014-10-24 19:28:09 UTC 
The OSE 2 Deployment Guide has been updated to address this BZ. See revision history here:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#appe-Revision_History