Conversation
Add a new `stack` for managing the security baseline expected of new and existing deployments. [skip ci]
| # the default zone will not be changed. | ||
| # Predefined zones are listed here: | ||
| # https://firewalld.org/documentation/zone/predefined-zones.html | ||
| compute_firewalld_default_zone: trusted |
There was a problem hiding this comment.
We should ideally default to drop here, though it does make it trickier to apply
There was a problem hiding this comment.
I had just taken everything from the docs.
Need to figure out how to manage networks and their zones within this setup.
There was a problem hiding this comment.
We should probably update those docs. I don't think that the firewall will really do anything if the default zone is trusted. Basically that just means if there's no specific rule, it just passes, which is pretty insecure.
The easiest way to manage this right now is to just set *_firewalld_default_zone: "{{ stackhpc_firewalld_default_zone }}"
Then I don't mind whether we set stackhpc_firewalld_default_zone to trusted or drop, as long as we include a decent comment next to it explaining what it does
There was a problem hiding this comment.
Actually, I might be wrong. I need to dig into this more
2 participants
Add a new
stackfor managing the security baseline expected of new and existing deployments.[skip ci]