Skip to content
This repository was archived by the owner on May 24, 2023. It is now read-only.

Added instructions for firewalld #14

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Added instructions for firewalld #14

wants to merge 9 commits into from

Conversation

cragr
Copy link

@cragr cragr commented Feb 16, 2019

Proposed changes

Added firewalld instructions on the installation pages. Also specified "infra nodes" in plural tense for the event multiple routers are run.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING guide
  • I have proven my fix is effective or that my feature works
  • I have updated necessary documentation
  • I have rebased my branch onto master
  • I will ensure my PR is targeting the master branch and pulling from my branch on my own fork

pleshakov
pleshakov suggested changes Feb 18, 2019
View reviewed changes
Copy link
Collaborator

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CountPickering thanks for the PR!

I've added a few small suggestions, could you possibly implement them?

Additionally, because port 1936 is not used for regular traffic like ports 80 and 443, but rather the admin traffic, is it possible to extend the firewall-cmd instruction to include the source range, similarly to the existing iptables command.

@pleshakov pleshakov requested a review from Rulox February 18, 2019 11:55
@cragr
Copy link
Author

cragr commented Feb 18, 2019

Your suggestions are on target and have been implemented.

@pleshakov
Copy link
Collaborator

@CountPickering Thanks for implementing those suggestions!

Additionally, because port 1936 is not used for regular traffic like ports 80 and 443, but rather the admin traffic, is it possible to extend the firewall-cmd instruction to include the source range, similarly to the existing iptables command.

regarding the comment above, can this be addressed?

if there are no simple firewall-cmd commands for this case, then it makes sense to put a note right after the command. Something like below:

Note: For simplicity, the firewall-cmd commands listed above do not configure the source IP range of the allowed traffic. It is recommended that you configure the source IP range to protect the [stub status page|dashboard] similarly to the iptables command.

@cragr
Copy link
Author

cragr commented Feb 18, 2019

I would add the note as you suggested. With firewalld you can define a range but it requires the setup of a zone. The OpenShift 3.11 installer uses the public zone by default.

@pleshakov
Copy link
Collaborator

@CountPickering that sounds good! thx

pleshakov
pleshakov approved these changes Mar 8, 2019
View reviewed changes
Copy link
Collaborator

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@CountPickering Thanks!
Could you possibly squash your commits into a single one? Once that is done, we'll merge the PR.

@magicalyak
Copy link

Just a note, this could be further expanded by demonstrating the command

$ sudo firewall-cmd --permanent --zone=public \ 
 --add-rich-rule='rule family="ipv4" \
 source address="1.2.3.4/32" \ 
 port protocol="tcp" \
 port="1936" accept'
$ sudo firewall-cmd --reload

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
2 more reviewers

@pleshakov pleshakov pleshakov approved these changes

@Rulox Rulox Rulox approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
documentation
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cragr @pleshakov @magicalyak @Rulox