On 08/02/2017 03:57 AM, Mark Goddard wrote: > The solution we built used a conf.d/ mechanism layered on top of iptables. An > advantage of this approach is that operators or co-resident software stacks > could add their own rules to the firewall. AFAIK, this is not generally > possible when using iptables-save/restore as it relies on a single > configuration file which must be 'owned' by something - in this case > presumably OSA. > > I'm not suggesting that you reimplement the solution I've described, but it > does outline one benefit of firewalld - OSA would not need to entirely own > the firewall configuration.
Thanks for the feedback! I'm leaning away from firewalld now and looking at something a little simpler with iptables. During a recent IRC meeting someone brought up ferm[0]. They have several examples, but the workstation[1] one makes some sense. It would be fairly easy to template the ferm DSL files. [0] http://ferm.foo-projects.org/ [1] http://ferm.foo-projects.org/download/examples/webserver.ferm -- Major Hayden __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
