[lxc-users] LXD firewall container?

Guido Jäkel G.Jaekel at DNB.DE
Sat Apr 29 08:20:50 UTC 2017


Dear Ron and others,

same as Spike, I would like to point you to FireHol. Technical, it's a rule generator for IPTables. But you will not get in touch with this layer you're get some "wired" error messages during the compile phase. This typical will happen if you try to set up "advanced things" and you'll mostly know what's up for this reason.

The core of FireHol is to offer a Domain Specific Language that allow to define your needs in a very clearly (object-orientated) way. And you will agree that clearness is of top importance while implementing security. With a joke, you'll don't understand your iptables ruleset next time you have to revisit it - that's a perfect example of security by obscurity ;)


If you'll use FireHol inside a Container to protect it's own (and only) veth, the FireHol configuration file will be "crystal-clear". But if you need an advanced level of security, i.e. you have or want to mistrust the integrity of the Containers -- or by other words, you don't just want to protect the Container against others but you also want to protect others against a Container -- then a tool like FireHol show it's pay-off.

Here, you may use it at the Host side to define at IP level (i.e. layer 3) what the layer 2 software bridge will pass to or from a Container to the Outerworld or others: To define rules for a hole bunch of routings is very easy using FireHol because you split the definition of services (and a lot is predefined) and the usage of it in proper way.


*At Devs & Project Leaders*: As said, the firewall configuration file for FireHol uses a DSL. But because it is "sourced" as a bash script, for real advanced things you may even "mix in" things at bash script level. This might be useful for automatic orchestration in the described scenario if one will anchor a firewall set as a part of the container configuration. Is there a vote for a sub-project to add support for "Firehol Integration" as a part of the LXC/LXC configuration framework (as a abstract and "movable" part of a container configuration)? In stead of a "full integration", a "support-style integration" might also be archived by using just the script hooks as then interface, of course.


greetings

Guido


On 27.04.2017 19:50, Spike wrote:> after testing one of too many firewall solutions I went back to just
> running plain ubuntu and then put an iptables "frontend" on top of it. In
> my case I chose firehol, but there's a number of them and it's largely a
> matter of taste/how you work. It really depends what you care for, if you
> want an appliance kind of thing that won't work, as it doesn't come with
> batteries included, ie a gui, graphs etc, but if you want a clean working
> firehol without the hassle of managing rules yourself, then ubuntu + a fw
> manager will do wonders and actually keeps things simpler ime.
> 
> hope that helps,
> 
> Spike
> 
> On Mon, Apr 24, 2017 at 10:07 PM gunnar.wagner <gunnar.wagner at netcologne.de>
> wrote:
> 
>> I know that's only touching your point slightly but (as far as I know)
>> pfSense requires 2 physical WAN ports in order to run.
>>
>> So I'd doubt is can be containerized to begin with
>>
>>
>> On 4/25/2017 12:10 AM, Ron Kelley wrote:
>>
>> Greetings all,
>>
>> I am looking for an easy-to-configure firewall tool that provides NAT/Gateway/Firewall functions for other containers.  I know I can use iptables, etc, but I would like something more easily managed (web-based tool?) like pfSense, IPFire, IPCop, etc.  Unfortunately, many of the tools are ISO based which require “real” VM instances.
>>
>> I can’t seem to find any turn-key LXD firewall images; maybe I am looking in the wrong place?
>>
>> Any pointers?
>>
>> Thanks.
>> _______________________________________________
>> lxc-users mailing listlxc-users at lists.linuxcontainers.orghttp://lists.linuxcontainers.org/listinfo/lxc-users
>>
>>
>> --
>> Gunnar Wagner | Yongfeng Village Group 12 #5, Pujiang Town, Minhang
>> District, 201112 Shanghai, P.R. CHINA
>> mob +86.159.0094.1702 <+86%20159%200094%201702> | skype: professorgunrad
>> | wechat: 15900941702
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> 
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 


More information about the lxc-users mailing list