We have following places for firewall rules in manifests (look for all "firewall {}" entries): https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/openstack/manifests/firewall.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/openstack/manifests/heat.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/openstack/manifests/logging.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/cobbler/manifests/iptables.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/sahara/manifests/init.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/memcached/manifests/init.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/zabbix/manifests/server.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/zabbix/manifests/monitoring/rabbitmq_mon.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/zabbix/manifests/agent.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/osnailyfacter/modular/firewall/firewall.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/nailgun/manifests/host.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/nailgun/manifests/iptables.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/galera/manifests/init.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/mongodb/manifests/firewall.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/ceph/manifests/radosgw.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/ceph/manifests/osd.pp https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/ceph/manifests/mon.pp
And the list actually should be only: The full list of ports could be re-used from here (look for all "firewall {}" entries): https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/openstack/manifests/firewall.pp
https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/cobbler/manifests/iptables.pp
https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/nailgun/manifests/host.pp (?) https://github.com/stackforge/fuel-library/blob/master/deployment/puppet/nailgun/manifests/iptables.pp
Also note, that openstack/manifests/firewall.pp should contain if {} stanzas for different types of deployment (ceph or swift, for example. Nova or neutron, etc.) in order to not open unused ports.
We have following places for firewall rules in manifests (look for all "firewall {}" entries): /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ openstack/ manifests/ firewall. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ openstack/ manifests/ heat.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ openstack/ manifests/ logging. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ cobbler/ manifests/ iptables. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ sahara/ manifests/ init.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ memcached/ manifests/ init.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ zabbix/ manifests/ server. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ zabbix/ manifests/ monitoring/ rabbitmq_ mon.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ zabbix/ manifests/ agent.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ osnailyfacter/ modular/ firewall/ firewall. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ nailgun/ manifests/ host.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ nailgun/ manifests/ iptables. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ galera/ manifests/ init.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ mongodb/ manifests/ firewall. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ ceph/manifests/ radosgw. pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ ceph/manifests/ osd.pp /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ ceph/manifests/ mon.pp
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
https:/
And the list actually should be only: /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ openstack/ manifests/ firewall. pp
The full list of ports could be re-used from here (look for all "firewall {}" entries):
https:/
https:/ /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ cobbler/ manifests/ iptables. pp
https:/ /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ nailgun/ manifests/ host.pp (?) /github. com/stackforge/ fuel-library/ blob/master/ deployment/ puppet/ nailgun/ manifests/ iptables. pp
https:/
Also note, that openstack/ manifests/ firewall. pp should contain if {} stanzas for different types of deployment (ceph or swift, for example. Nova or neutron, etc.) in order to not open unused ports.