firewalld: Question on Usage (Best Practices/Opinion )

Latest response

As I get more requests in from my customers to help them automate the deployments of their applications, I'm dealing more with firewalld rules. Initially, when I've been adding ports for applications, I'd been using the firewall-cmd --permanent --add-port=NNN/proto method. As I was poking around teh intarwebz researching other problems (SELinux can make running firewall commands via boot-init scripts a bit of a pain). At any rate, I'd stumbled on a document that covered creating service-definitions so that a given application might have all its port needs satisfied by firewall-cmd --permanent --add-service=<AppName>. When dealing with applications that have need of multiple ports/protocols/etc., distributing a service definition-file and then activating that single service seems like a no-brainer. Just wonder if there's shortcomings to that method or whether anyone has any experience — positive or negative — using that method.

Responses

Thomas,

I think the service definitions are a good idea, but I moved away from firewalld all together and manage the iptables endpoint firewalls directly in puppet manifests using the firewall module found here: https://forge.puppet.com/puppetlabs/firewall

The implementations I have created for multiple sites follow a similar app specific idea. In these implementations there is a base set of firewall rules defined for a 'SOE' or platform, and then each application module extends this firewall with a defined set of rules for that application. This way the firewall rules sit alongside the application configuration logic in version control.

It's interesting as this approach is now slowly evolving and is getting very close to SDN / micro segmentation as nodes can be made aware of other cluster members etc. in puppet.

I know it's not a direct answer.. but thought it may help (especially with puppet support in Satellite 6).

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.