TripleO firewall should be per Network
Bug #1694046 reported by
Federico Iezzi
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Expired
|
Undecided
|
Unassigned |
Bug Description
The current (Ocata and Pike) TripleO Firewall adds a bunch of IPTables rules to allow defined ports on every network interfaces.
It means that any sensible services i.e. SSH and PCSD, binding every network, even on the External Network, are not filtered at all.
Changed in tripleo: | |
milestone: | pike-3 → pike-rc1 |
Changed in tripleo: | |
milestone: | pike-rc1 → queens-1 |
Changed in tripleo: | |
milestone: | queens-1 → queens-2 |
Changed in tripleo: | |
milestone: | queens-2 → queens-3 |
Changed in tripleo: | |
milestone: | queens-3 → queens-rc1 |
Changed in tripleo: | |
milestone: | queens-rc1 → rocky-1 |
Changed in tripleo: | |
milestone: | rocky-1 → rocky-2 |
Changed in tripleo: | |
milestone: | rocky-2 → rocky-3 |
Changed in tripleo: | |
milestone: | rocky-3 → rocky-rc1 |
Changed in tripleo: | |
milestone: | rocky-rc1 → stein-1 |
Changed in tripleo: | |
milestone: | stein-1 → stein-2 |
information type: | Private Security → Public |
To post a comment you must log in.
This bug report is a well-known limitation of Firewall support in TripleO and has been an ongoing topic for some months. It requires some work in THT and puppet-tripleo but nobody has spent time on this thing, that I would call a feature.