tripleo

TripleO firewall should be per Network

Bug #1694046 reported by Federico Iezzi on 2017-05-27

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Expired	Undecided	Unassigned	tripleo stein-2

Bug Description

The current (Ocata and Pike) TripleO Firewall adds a bunch of IPTables rules to allow defined ports on every network interfaces.
It means that any sensible services i.e. SSH and PCSD, binding every network, even on the External Network, are not filtered at all.

Revision history for this message

Emilien Macchi (emilienm) wrote on 2017-05-29:

This bug report is a well-known limitation of Firewall support in TripleO and has been an ongoing topic for some months. It requires some work in THT and puppet-tripleo but nobody has spent time on this thing, that I would call a feature.

Changed in tripleo:
status:	New → Triaged
importance:	Undecided → High
milestone:	none → pike-3

Emilien Macchi (emilienm) on 2017-07-30

Changed in tripleo:
milestone:	pike-3 → pike-rc1

Ben Nemec (bnemec) on 2017-08-14

Changed in tripleo:
milestone:	pike-rc1 → queens-1

Revision history for this message

Ben Nemec (bnemec) wrote on 2017-08-14:

I'm re-targeting to Queens. I don't think we can absorb a major refactoring of the firewall support in pike. However, I think we need to talk to the folks in the security squad and see if they can prioritize this for early in Queens since it clearly is something we need to address.

Emilien Macchi (emilienm) on 2017-10-23

Changed in tripleo:
milestone:	queens-1 → queens-2

Emilien Macchi (emilienm) on 2017-12-08

Changed in tripleo:
milestone:	queens-2 → queens-3

Emilien Macchi (emilienm) on 2018-01-26

Changed in tripleo:
milestone:	queens-3 → queens-rc1

Alex Schultz (alex-schultz) on 2018-03-02

Changed in tripleo:
milestone:	queens-rc1 → rocky-1

Alex Schultz (alex-schultz) on 2018-04-20

Changed in tripleo:
milestone:	rocky-1 → rocky-2

Emilien Macchi (emilienm) on 2018-06-05

Changed in tripleo:
milestone:	rocky-2 → rocky-3

Emilien Macchi (emilienm) on 2018-07-26

Changed in tripleo:
milestone:	rocky-3 → rocky-rc1

Alex Schultz (alex-schultz) on 2018-08-14

Changed in tripleo:
milestone:	rocky-rc1 → stein-1

Juan Antonio Osorio Robles (juan-osorio-robles) on 2018-10-30

Changed in tripleo:
milestone:	stein-1 → stein-2

Revision history for this message

Emilien Macchi (emilienm) wrote on 2018-12-30: Cleanup EOL bug report

This is an automated cleanup. This bug report has been closed because it
is older than 18 months and there is no open code change to fix this.
After this time it is unlikely that the circumstances which lead to
the observed issue can be reproduced.

If you can reproduce the bug, please:
* reopen the bug report (set to status "New")
* AND add the detailed steps to reproduce the issue (if applicable)
* AND leave a comment "CONFIRMED FOR: <RELEASE_NAME>"
Only still supported release names are valid (FUTURE, PIKE, QUEENS, ROCKY, STEIN).
Valid example: CONFIRMED FOR: FUTURE

Changed in tripleo:
importance:	High → Undecided
status:	Triaged → Expired

Jeremy Stanley (fungi) on 2020-02-28

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.