Bug 1006040 - [RFE] Expand firewall configuration and information
[RFE] Expand firewall configuration and information
Status: CLOSED CURRENTRELEASE
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
1.2.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: brice
Alex Dellapenta
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-09 16:56 EDT by dchia
Modified: 2017-03-08 12 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-24 15:28:09 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dchia 2013-09-09 16:56:32 EDT
Description of problem:
The firewalling described in the Deployment Guide isn't very useful. I think it would more helpful to give more detailed examples like the  ones given in the OpenShift Reference Architecture document.

Specifically, [1] from http://www.redhat.com/resourcelibrary/reference-architectures/deploying-and-managing-a-private-paas-with-openshift-enterprise

[1]  7.Configure the firewall for MongoDB traffic on each BSN host to only allow traffic from
the broker hosts and the other BSN hosts, no other. Even with this traffic being restricted,
the version of MongoDB shipped with this solution is not complied with SSL support. So all
traffic is transmitted via clear text. One other option is to also implement SSH tunnels in-
between the hosts to secure the traffic even further.

bsn1:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn2:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.31 --dport 27017
--jump ACCEPT
# service iptables save
bsn3:
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.25 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.26 --dport 27017
--jump ACCEPT
refarch-feedback@redhat.com
29
www.redhat.com
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.27 --dport 27017
--jump ACCEPT
#
iptables -I INPUT -i eth0 -p tcp --source 10.16.138.28 --dport 27017
--jump ACCEPT
# service iptables save
There are different ways to open and close firewall ports on Red Hat Enterprise Linux, this
method uses lokkit, one other method is viaiptables.


Additional info:
The method pointed out from the reference arch uses iptables commands specifically not lokkit. lokkit is a very basic (almost too basic) way to configure a firewall (iptables). The method in the reference arch is much more robust and secure. I don't believe that can be achieved with lokkit. The ref arch is not only isolating ports but to specific hosts.
Comment 5 brice 2014-05-06 02:15:39 EDT
Email from Phil Festoso:

Hi Brice,

Sorry for the long delay. Your revision reads really well. Thanks for the work. I'll copy/paste the section on iptables for the customer to review and give you their feedback as well.

For QE:

The bit that was added was the formalpara underneath the table titled "Configuring a firewall using iptables"
Comment 11 brice 2014-05-21 02:05:43 EDT
Ok. So the info that has been added here has been wildly modified. I've taken Alex's suggestions into account, and changed up the formalpara I had initially added, and changed around the first paragraph of the topic as well.

Still not 100% sure it's all what's needed though, so I welcome any input.

Thanks, all.
Comment 13 brice 2014-09-21 23:56:01 EDT
I had a look at this BZ again. Changes:

* Put the two formalparas into their own sections. Alex suggested it above and I think it works here.
* I checked out the manually configuring iptables bit and judging from my googling, I think the information is correct. I also extended the -(x) options to be more like their longer --(x) options, which I feel gives it a little more context.
* I do think this can work with the current context as enough, but I'm open to suggestion as to what needs to be worked on exactly.
* I changed the QA contact to Alex.

If anyone cced here has any other suggestions let me know. If not, it'd be great to get it onto QA.
Comment 16 brice 2014-09-23 00:16:36 EDT
Luke, thanks much for the detailed information. I can see your reasoning behind it all, and I've edited the topics to pretty much suit your suggestions. I'll presume that's all you have to suggest and put this onto QA. 

For QA:
This BZ seems to have reached all of 5.2 in the Deploy Guide, but was initially adding what is now 5.2.2.
Comment 19 brice 2014-09-28 20:22:05 EDT
Luke, thanks for the edits. Sections have been updated.
Comment 21 Alex Dellapenta 2014-10-24 15:28:09 EDT
The OSE 2 Deployment Guide has been updated to address this BZ. See revision history here:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Deployment_Guide/index.html#appe-Revision_History

Note You need to log in before you can comment on or make changes to this bug.