1006040 – [RFE] Expand firewall configuration and information

Bug 1006040 - [RFE] Expand firewall configuration and information

Summary: [RFE] Expand firewall configuration and information

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Documentation
Sub Component:
Version:	1.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	brice
QA Contact:	Alex Dellapenta
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-09-09 20:56 UTC by dchia
Modified:	2018-12-04 15:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-24 19:28:09 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description dchia 2013-09-09 20:56:32 UTC

Description of problem:
The firewalling described in the Deployment Guide isn't very useful. I think it would more helpful to give more detailed examples like the  ones given in the OpenShift Reference Architecture document.

Specifically, [1] from http://www.redhat.com/resourcelibrary/reference-architectures/deploying-and-managing-a-private-paas-with-openshift-enterprise

[1]  7.Configure the firewall for MongoDB traffic on each BSN host to only allow traffic from
the broker hosts and the other BSN hosts, no other. Even with this traffic being restricted,
the version of MongoDB shipped with this solution is not complied with SSL support. So all
traffic is transmitted via clear text. One other option is to also implement SSH tunnels in-
between the hosts to secure the traffic even further.

bsn1:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn2:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn3:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
refarch-feedback
29
www.redhat.com
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
# service iptables save
There are different ways to open and close firewall ports on Red Hat Enterprise Linux, this
method uses lokkit, one other method is viaiptables.


Additional info:
The method pointed out from the reference arch uses iptables commands specifically not lokkit. lokkit is a very basic (almost too basic) way to configure a firewall (iptables). The method in the reference arch is much more robust and secure. I don't believe that can be achieved with lokkit. The ref arch is not only isolating ports but to specific hosts.

Comment 5 brice 2014-05-06 06:15:39 UTC

Email from Phil Festoso:

Hi Brice,

Sorry for the long delay. Your revision reads really well. Thanks for the work. I'll copy/paste the section on iptables for the customer to review and give you their feedback as well.

For QE:

The bit that was added was the formalpara underneath the table titled "Configuring a firewall using iptables"

Comment 11 brice 2014-05-21 06:05:43 UTC

Ok. So the info that has been added here has been wildly modified. I've taken Alex's suggestions into account, and changed up the formalpara I had initially added, and changed around the first paragraph of the topic as well.

Still not 100% sure it's all what's needed though, so I welcome any input.

Thanks, all.

Comment 13 brice 2014-09-22 03:56:01 UTC

I had a look at this BZ again. Changes:

* Put the two formalparas into their own sections. Alex suggested it above and I think it works here.
* I checked out the manually configuring iptables bit and judging from my googling, I think the information is correct. I also extended the -(x) options to be more like their longer --(x) options, which I feel gives it a little more context.
* I do think this can work with the current context as enough, but I'm open to suggestion as to what needs to be worked on exactly.
* I changed the QA contact to Alex.

If anyone cced here has any other suggestions let me know. If not, it'd be great to get it onto QA.

Comment 16 brice 2014-09-23 04:16:36 UTC

Luke, thanks much for the detailed information. I can see your reasoning behind it all, and I've edited the topics to pretty much suit your suggestions. I'll presume that's all you have to suggest and put this onto QA. 

For QA:
This BZ seems to have reached all of 5.2 in the Deploy Guide, but was initially adding what is now 5.2.2.

Comment 19 brice 2014-09-29 00:22:05 UTC

Luke, thanks for the edits. Sections have been updated.

Comment 21 Alex Dellapenta 2014-10-24 19:28:09 UTC

The OSE 2 Deployment Guide has been updated to address this BZ. See revision history here:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#appe-Revision_History

Note You need to log in before you can comment on or make changes to this bug.