[tech] Firewalling system ideas wanted

Tue May 16 11:28:33 AWST 2017

OpenStack has a nice interactive firewall controls, that users can touch,
on the same website they use to spinup their VMs.
But OpenStack is not something one simply just decides to deploy.

--
[*OX]

On 16/05/2017 10:00 AM, David Adam wrote:
> On Mon, 15 May 2017, Andrew Adamson wrote:
>> This coming weekend we are basically breaking everything, so this is an
>> opportunity to do it good and properly. I've been thinking about user
>> friendliness of our firewall (particularly for VM's), and how things would
>> ideally work versus how they currently do.
>>
>> At the moment, a lot of users who get a VM can't necessarily do a great
>> deal with them, because firewalling of their machine is quite obfuscated
>> to them (unless they are on wheel, and sometimes even then), and it's not
>> always clear to them why something might not be working. I have a similar
>> problem learning about mail servers with the UWA firewall - I never know
>> if it's me or not. The firewall on a VM is something that a user can't
>> easily inspect, change, or experiment with, because it's on murasoi which
>> is wheel access only.
>>
>> To me, the best scenario here is that VM users can easily inspect the
>> firewall rules on their machine, easily request changes, some trusted
>> users can easily be given control of their machines firewall, and the
>> whole lot can be audited/checked/modified by wheel at any time.
>>
>> Can anyone suggest such a system? Ideally it would have some sort of nice
>> interface, or proxmox integration. I know proxmox has firewall support but
>> haven't had a chance to really play with it, plus it would mean splitting
>> our firewall between murasoi and the cluster. Has anyone tried it before
>> and have advice/comments? Advice/comments on splitting the firewall? Other
>> options for a routing box? Thoughts on moving dns onto the routing
>> machine?
> Old guard opinion, I guess...
>
> I think what you're asking about is delegated firewall control, which as
> far as I know doesn't exist even in high-end firewall products - I've had
> a read through the Cisco FirePower 9000* and Juniper SRX manuals and all I
> can see is whole-of-system roles, rather than permission to firewall
> specific subnets or IP addresses.
>
> My impression is that full virtualisation of networks with virtual
> firewalls is the Enterprise Solution to this problem.
>
> I don't think splitting the firewall is so much of a problem. Several
> machines (mooneye, mussel, motsugo) already run their own firewalls as a
> replacement or addition to the central firewall.
>
> Firewalling on Proxmox does appear to require full network administration
> privileges to the VM, which we don't grant users (and probably shouldn't).
>
> I think we should probably rewrite the firewall in nftables. Linux is
> still the right platform - although firewall platforms like pf(4) are
> better, the wider networking infrastructure tools on Linux still seem more
> diverse and well-understood.
>
> Your question about putting the nameserver on the router is a separate
> issue. From a *.ucc.asn.au perspective it will be easy, but it would also
> require UWA to make some changes to keep *.ucc.gu.uwa.edu.au and the
> reverse DNS zone working. Perhaps others have more of an appetite. Our DNS
> records in the UWA nameservers have been semi-broken for years, and we
> never did get IPv6 reverse delegation set up.
>
> David Adam
> zanchey at ucc.gu.uwa.edu.au
>
>
> *: Yes.
> _______________________________________________
> List Archives: http://lists.ucc.gu.uwa.edu.au/pipermail/tech
>
> Unsubscribe here: http://lists.ucc.gu.uwa.edu.au/mailman/options/tech/oxinabox%40ucc.asn.au