Configure containerVM firewall to enforce intent #692
Comments
hickeng
added
area/security
stuclem
added
the
impact/doc/user
|
#648 is related on the appliance side. |
|
We should drop all inbound packets by default in the container VM's firewall configuration. When a port is "expose"d through the docker configuration then the firewall should allow the port to accept inbound packets on that port from other containers in the bridge. When a port is "publish"ed through the docker configuration then the firewall should allow the port to accept inbound connections from all. When containers are linked then they allow inbound connections from each other. More advanced firewall features from vSphere networking including networking and networking security features from NSX will be mapped to externally scoped networks and the configuration of those features will remain on the vSphere management plane. see: https://github.com/vmware/vic/tree/master/doc/design/networking Docker port/publish/expose commands will affect the firewall on the container VM. |
stuclem
removed
the
impact/doc/user
|
@hmahmood this is the issue relating to container firewall config - the implication of this is that the ports to expose need to be present in the tether extraconfig. |
|
GA feature from SSOD. @hickeng assigned in SSOD. |
|
@hmahmood I don't recall - does this require the iptables binary or not? |
|
This would require the iptables binary. Any other way to allow only certain ports through? |
hickeng
changed the title
|
Changing this to high to elicit conversation specifically about firewall rule being applied when a container makes use of NFS volumes. Setting to 8 as we'll either need to inject |
|
Short term alternatives to iptc based impl:
|
|
@fdawg4l I think you'll have addressed all of this once you're done with you're current work. If that's correct can you add this to the Release (release column and Release field) so that we make sure to doc and close it. |
|
@stuclem need to document this. |
|
@hickeng I think that I need more information about #692 (comment) before I can document this. |
|
Resolving as all children have been resolved. |
Story
As a VCH user I expect containers using container networks to have the same degree of network security and isolation as they would when using NAT & port forwarding.
Detail
Two primary scenarios for attaching a container directly to a container-network:
a. configure firewall to permit incoming only, and then only on exposed ports, e.g. 8080
b. configure firewall to support port forwarding directly, e.g. 80 -> 8080
a. configure firewall to reject all incoming on that network, and only permit outbound to the target resource (protect network against containers as well as container against network)
b. the general "container needs internet access" case - permit outbound only,
There is the additional case when (1) and (2) apply for the same network.
Undecided whether the firewall should drop or reject.
Acceptance
#microsegmentation #nsx #firewall #iptables
The text was updated successfully, but these errors were encountered: