This is a very interesting proposal and one I believe is needed. I¹m currently looking at hardening the controller nodes from unwanted access and discovered that every time the controller node is booted/rebooted, it flushes the iptables and writes only those rules that neutron believes should be there. This behavior would render this proposal ineffective once the node is rebooted.
So I believe neutron needs to be fixed to not flush the iptables on each boot, but to write the iptables to /etc/sysconfig/iptables and then restore them as a normal linux box should do. It should be a good citizen with other processes. A sysadmin should be allowed to use whatever iptables handlers they wish to implement security policies and not have an OpenStack process undo what they have set. I should mention this is on a system using a flat network topology and bare metal nodes. No VMs. ‹ Jeff Keopp | Sr. Software Engineer, ES Systems. 380 Jackson Street | St. Paul, MN 55101 | USA | www.cray.com <http://www.cray.com> -----Original Message----- From: Major Hayden <ma...@mhtx.net> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org> Date: Monday, September 14, 2015 at 11:34 To: "openstack-dev@lists.openstack.org" <openstack-dev@lists.openstack.org> Subject: Re: [openstack-dev] [openstack-ansible] Security hardening >On 09/14/2015 03:28 AM, Jesse Pretorius wrote: >> I agree with Clint that this is a good approach. >> >> If there is an automated way that we can verify the security of an >>installation at a reasonable/standardised level then I think we should >>add a gate check for it too. > >Here's a rough draft of a spec. Feel free to throw some darts. > > https://review.openstack.org/#/c/222619/ > >-- >Major Hayden > >__________________________________________________________________________ >OpenStack Development Mailing List (not for usage questions) >Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe >http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev