[Freeipa-devel] Ipa-server-install Firewall Support
Justin Brown
justin.brown at fandingo.org
Thu Apr 3 16:33:51 UTC 2014
This discussion morphs out of some questions that I asked over on the
user's mailing list:
https://www.redhat.com/archives/freeipa-users/2014-April/msg00033.html.
It's also related to Trac #2110. (The subject says ipa-server-install,
but this will also apply to replica installs, too.)
What is the expected compatibility with RHEL 5 and 6? Neither of those
comes with FirewallD. Integrating with iptables is bound to be messy,
and I feel like there's too many ways to get into trouble with
destroying a user's iptables configuration. (Due to the unsafety of
`iptables-restore`, there's no way to guarantee that the user's
configuration will persist through a reboot.) Seeing as FirewallD has
been the default in Fedora since 18 and will be in RHEL 7, it seems
like a reasonable thing to do. Would there be opposition to making
FirewallD the only firewall that ipa-server-install will configure,
and just print out iptables (or iptables-save fragments) for
non-FirewallD systems?
The implementation should be pretty simple and straightforward, but I
wanted to run over it briefly to see if there were any initial
feedback.
First, there's a question of dependence. FirewallD exposes a DBus
interface on the system bus. While it is possible to interact with
shell commands, I would greatly prefer to make use of DBus directly.
That will require pulling in python-dbus as a package dependency.
Second, FirewallD operates on "zones" to which interfaces are
attached. To apply any sort of configuration, we'll need to attach a
freeipa-server FirewallD service to the proper zone. During the
current installation program, we already know the server's IP address
from a call to installutils.get_server_ip_address(). I'll need to
resolve on which interface this IP resides, and then FirewallD can
tell me which zone should be modified. It is possible to scrape the
output of `ip address` to determine, but that's a messy solution. The
better method is to use the NetworkManager DBus interfaces to query
for this information. This gets back to my compatibility question
above. Fedora doesn't really work without NetworkManager anymore, and
I assume that will hold for RHEL 7.
Third, do we want to allow the user to limit the network access? I
think that it makes sense to allow users to specify a network (e.g.
192.168.0.0/16) to limit accessibility to their FreeIPA server. Yet,
there's always some trade-off to adding more options to
ipa-server-install.
Fourth, FirewallD configuration is simple and quick, so I think it
makes sense to get it out of the way early in the install process. I'm
thinking right after ipaservices.backup_and_replace_hostname() (line
1,038) runs.
Implementation Walkthrough
----------------------------------------
~$ ipa-server-install --firewall --firewall-allow 192.168.0.0/24
--firewall-allow 192.168.1.0/24 [...]
[skip to line 1038]
1. Detect if FirewallD is running via DBus. (If not generate sample
iptables rules, print/log them, and continue normal install.)
2. Use NM DBus to resolve IP->interface. (If NM not available,
potentially fallback to scrapping `ip a`.)
3. Use FirewallD DBus to resolve interface to zone.
4. FreeIPA will include a service XML template (like
dsinstance.INF_TEMPLATE) that specifies the necessary ports/protocols.
Write this service file to /etc/firewalld/services/.
5. If the user provided --firewall-allow args, generate rich rules
based on the template, and add them to the proper zone. If not, the
service is still added as a rich rule (for consistency and ease of
uninstall).
Thanks,
Justin
More information about the Freeipa-devel
mailing list