RE: Firewall options

Tue, 30 Jul 2019 05:19:36 -0700 

 
Hey Greg, don't want to be stubborn, but this is what I have now, just 
iptables rules on the netns.

{
  "cniVersion": "0.3.1",
  "name": "test-firewallnetns",
  "plugins": [
  {
    "type": "macvtap",
    "master": "eth1",
    "ipam": {
      "type": "host-local",
      "subnet": "192.168.124.0/24",
      "rangeStart": "192.168.124.170",
      "rangeEnd": "192.168.124.179"
    }
  },
  {
    "type": "firewallnetns",
    "dataDir": "/etc/mesos-cni",
    "fwFiles": [ "default-policy", "allow-ping", "allow-ping-out" ],
    "ipsets": [
      { "set": "blacklistweb", "hashtype": "hash:ip", "netmask": 24, 
"hashsize": 4096 }
    ],
    "policies": [
      { "chain": "INPUT", "policy": "ACCEPT" },
      { "chain": "OUTPUT", "policy": "ACCEPT" } ],
    "rules": [
      { "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT0 -j 
ACCEPT" },
      { "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT1 -j 
ACCEPT" },
      { "type": "A", "chain": "INPUT", "rule": "-p tcp -m set 
--match-set blacklistweb src -m multiport --dports 80,443 -j REJECT 
--reject-with tcp-reset" }
      ]
  }
  ]
}

https://github.com/f1-outsourcing/plugins/tree/hostrouteif/plugins/meta/firewallnetns#firewallnetns-chain-plugin-not-final-name


-----Original Message-----
To: [email protected]
Subject: Re: Firewall options

Hey Marc,

It's not too complicated or over kill I don't think. At first I was of 
the same opinion but am currently setting it up on a small development 
environment. The benefit is that you can define network policies as code 
and execute them using automation so if a CI tool like Jenkins is a part 
of your stack you can programmatically tear down and rebuild avoiding 
manual steps and helping make environment rebuilds consistent.

Cheers




        Thanks Greg for the suggestion. Looked a bit at it, I am not sure 
if it 
        is not a bit of an overkill for my small environment. I am now 
testing a 
        bit with a plugin I made that creates iptables rules directly in 
the 
        namespace. Just need to make it more 'dynamic'.
        
        
        
        
        -----Original Message-----
        To: [email protected]
        Subject: Re: Firewall options
        
        Use Calico as a CNI network, you can then use Calico to apply 
network 
        policies.
        
        
        
        
        
                I am having a test setup with mesos and marathon, and 
playing now a 
        bit 
                with haproxy. On vm's I am using  iptables to throttle 
brute force 
        rdp 
                connections for instance. 
                What would be the advised way to apply this to the haproxy 
app?

Reply via email to