BMC Firewall design

[joseph-reynolds]

Create a BMC firewall design in openbmc/docs/design. Topics include: Linux netfilter modules, iptables command line tools, firewall packages like arno-iptables-firewall to allow and deny IP traffic, logging support like ulogd, and bitbake recipes and config for the above.

[joseph-reynolds]

The requirement is to be able to allow and deny IP traffic originating from specific addresses. The design would be like:

• Handle both IPv4 and IPv6.
• Have an RemoteIPAddressFiltering object the BMC admin can configure, with properties:
  • Default: one of Allow, Block.
  • BlockList, a list of IP addresses, used when Default=Allow to block specific addresses.
  • AllowList, a list of IP addresses, used when Default=Block to allow specific addresses.

[joseph-reynolds]

Use cases:

1. Use of RemoteIPAddressFiltering with Default=Block and an AllowList supports a higher-security configuration that allows only authorized management consoles (specific HMC instances) to access the BMC. The HMCs' IP addresses would be added to the AllowList of the BMCs they operate. All other IP traffic is dropped.
2. The RemoteIPAddressFiltering with Default=Allow setting supports the basic use case to be able to connect to the BMC from its management network.
3. Use of RemoteIPAddressFiltering with Default=Allow and a BlockList helps prevent denial of service in environments where the BMC is exposed to a less than ideal network that has network agents outside of the BMC's control sending unwanted IP traffic to the BMC

[joseph-reynolds]

See discussion in 2019-2-6 entry of OpenBMC security working group meeting notes.

[joseph-reynolds]

Here are my views on the work items needed to implement the non-GUI items:

• Get the OpenBMC community to agree on a basic design (as above). Also agree on the underlying filtering mechanism (netfilter and nft?).
• Write up that design. There are several pieces:
  • Write up the REST API design. Does this build onto Redfish ManagerNetworkProtocol? Or do we use an Oem.OpenBMC extension?
  • Drive the Redfish/Oem issue to closure.
  • Write up the D-Bus interface.
  • Implement the Rest APIs in BMCWeb.
  • Implement the D-Bus daemon.
  • Bring netfilter components into the project (Yocto recipes, bitbake rules).

[joseph-reynolds]

Disambiguation: There is something called IPMI firewall. This is intended to be separate.

[joseph-reynolds]

I think this design is blocking https://github.com/ibm-openbmc/dev/issues/1808 I looked at Redfish firewall support and did not see any, but I am not a network expert. I looked in:

• The Redfish Forum, search for "firewall" - https://redfishforum.com/search.
• The Redfish spec.

As far as I can tell , the best place to put firewall function is a new section in the the existing DSP2046 NetworkInterface schema or the ManagerNetworkProtocol schema (see https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2017.2.pdf). Note the NetworkPort schema refers to physical ports, not to TCP or UDP ports. I am not the right person to figure this out.

What is the right way to proceed? Should we post a feature request to the Redfish Forum? We want to enhance the Redfish spec to expose an on-device capability to block or allow specific incoming IP addresses. There should be a setting to allow-all or deny-all incoming IP addresses together with a way to make exceptions for specific IP addresses (for IPv4 or IPv6). [Note: this is part of the function of traditional firewall.]

[joseph-reynolds]

I edited my previous posts to change terminology such as: Block, Allow, and Deny.

[ratagupt]

@amboar: We are yet to look into it.but yes we have seen the firewalld

[sunharis]

Migrate-Yes

[rfrandse]

tracking in jira

[yewdforwork]

I would like to ask : how do you start firewalld in openbmc system, or what should I do ?

When I introduced the firewalld module to openbmc, I failed to start Firewald. service. The following error message is displayed：

Operation procedure：

1. The bb file path used: openbmc/meta-openembedded/meta-networking/dynamic-layers/meta-python/recipes-connectivity/firewalld/firewalld_1.2.0.bb
2. Add the firewalld module to packagegroup-apps.bb in my project. Note: Introduce other modules to work properly, such as sqlite and nginx
3. Compile->burn-> start openbmc system : firewalld module exists, but failed to start, manual execution also failed

In addition, I noticed that the firewalld community has similar issues with the status of open : Firewalld service failed