Puppet IPtables rules management allows the creation of TCP / UDP rules with empty port value.Some API services in Director are not exposed to public networks,
which means $public_ssl_port are empty for some services (for example,
Glance, which is deployed by default on both undercloud and overcloud).
If SSL is enabled, several IPtables rules are created without a
port specified, which opens all traffic for TCP protocol. Example
-A INPUT -p tcp -m comment --comment "100 glance_registry_haproxy_ssl"
-m state --state NEW -j ACCEPT
Created puppet-tripleo tracking bugs for this issue:
Affects: openstack-rdo [bug 1409689]
Name: Ben Nemec (Red Hat)
This issue has been addressed in the following products:
Red Hat OpenStack Platform 10.0 (Newton)
Via RHSA-2017:0025 https://rhn.redhat.com/errata/RHSA-2017-0025.html