Closed joseph-reynolds closed 1 year ago
The requirement is to be able to allow and deny IP traffic originating from specific addresses. The design would be like:
Use cases:
See discussion in 2019-2-6 entry of OpenBMC security working group meeting notes.
Here are my views on the work items needed to implement the non-GUI items:
Disambiguation: There is something called IPMI firewall. This is intended to be separate.
I think this design is blocking https://github.com/ibm-openbmc/dev/issues/1808 I looked at Redfish firewall support and did not see any, but I am not a network expert. I looked in:
As far as I can tell , the best place to put firewall function is a new section in the the existing DSP2046 NetworkInterface schema or the ManagerNetworkProtocol schema (see https://www.dmtf.org/sites/default/files/standards/documents/DSP2046_2017.2.pdf). Note the NetworkPort schema refers to physical ports, not to TCP or UDP ports. I am not the right person to figure this out.
What is the right way to proceed? Should we post a feature request to the Redfish Forum? We want to enhance the Redfish spec to expose an on-device capability to block or allow specific incoming IP addresses. There should be a setting to allow-all or deny-all incoming IP addresses together with a way to make exceptions for specific IP addresses (for IPv4 or IPv6). [Note: this is part of the function of traditional firewall.]
I edited my previous posts to change terminology such as: Block, Allow, and Deny.
@amboar: We are yet to look into it.but yes we have seen the firewalld
Migrate-Yes
tracking in jira
I would like to ask : how do you start firewalld in openbmc system, or what should I do ?
When I introduced the firewalld module to openbmc, I failed to start Firewald. service. The following error message is displayed:
Operation procedure:
In addition, I noticed that the firewalld community has similar issues with the status of open : Firewalld service failed
Create a BMC firewall design in openbmc/docs/design. Topics include: Linux netfilter modules, iptables command line tools, firewall packages like arno-iptables-firewall to allow and deny IP traffic, logging support like ulogd, and bitbake recipes and config for the above.