Firewall options

[Marc Roos <M....@f1-outsourcing.eu>]

I am having a test setup with mesos and marathon, and playing now a bit 
with haproxy. On vm's I am using  iptables to throttle brute force rdp 
connections for instance. 
What would be the advised way to apply this to the haproxy app?

RE: Firewall options

[Marc Roos <M....@f1-outsourcing.eu>]

 
Hey Greg, don't want to be stubborn, but this is what I have now, just 
iptables rules on the netns.

{
  "cniVersion": "0.3.1",
  "name": "test-firewallnetns",
  "plugins": [
  {
    "type": "macvtap",
    "master": "eth1",
    "ipam": {
      "type": "host-local",
      "subnet": "192.168.124.0/24",
      "rangeStart": "192.168.124.170",
      "rangeEnd": "192.168.124.179"
    }
  },
  {
    "type": "firewallnetns",
    "dataDir": "/etc/mesos-cni",
    "fwFiles": [ "default-policy", "allow-ping", "allow-ping-out" ],
    "ipsets": [
      { "set": "blacklistweb", "hashtype": "hash:ip", "netmask": 24, 
"hashsize": 4096 }
    ],
    "policies": [
      { "chain": "INPUT", "policy": "ACCEPT" },
      { "chain": "OUTPUT", "policy": "ACCEPT" } ],
    "rules": [
      { "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT0 -j 
ACCEPT" },
      { "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT1 -j 
ACCEPT" },
      { "type": "A", "chain": "INPUT", "rule": "-p tcp -m set 
--match-set blacklistweb src -m multiport --dports 80,443 -j REJECT 
--reject-with tcp-reset" }
      ]
  }
  ]
}

https://github.com/f1-outsourcing/plugins/tree/hostrouteif/plugins/meta/firewallnetns#firewallnetns-chain-plugin-not-final-name


-----Original Message-----
To: user@mesos.apache.org
Subject: Re: Firewall options

Hey Marc,

It's not too complicated or over kill I don't think. At first I was of 
the same opinion but am currently setting it up on a small development 
environment. The benefit is that you can define network policies as code 
and execute them using automation so if a CI tool like Jenkins is a part 
of your stack you can programmatically tear down and rebuild avoiding 
manual steps and helping make environment rebuilds consistent.

Cheers




	Thanks Greg for the suggestion. Looked a bit at it, I am not sure 
if it 
	is not a bit of an overkill for my small environment. I am now 
testing a 
	bit with a plugin I made that creates iptables rules directly in 
the 
	namespace. Just need to make it more 'dynamic'.
	
	
	
	
	-----Original Message-----
	To: user@mesos.apache.org
	Subject: Re: Firewall options
	
	Use Calico as a CNI network, you can then use Calico to apply 
network 
	policies.
	
	
	
	
	
	        I am having a test setup with mesos and marathon, and 
playing now a 
	bit 
	        with haproxy. On vm's I am using  iptables to throttle 
brute force 
	rdp 
	        connections for instance. 
	        What would be the advised way to apply this to the haproxy 
app?
	
	
	
	
	
	
	
	
	
	

Re: Firewall options

[Greg Langford <gr...@langford.me>]

Hey Marc,

It's not too complicated or over kill I don't think. At first I was of the
same opinion but am currently setting it up on a small development
environment. The benefit is that you can define network policies as code
and execute them using automation so if a CI tool like Jenkins is a part of
your stack you can programmatically tear down and rebuild avoiding manual
steps and helping make environment rebuilds consistent.

Cheers

On Thu, 25 Jul 2019, 16:38 Marc Roos, <M....@f1-outsourcing.eu> wrote:

>
> Thanks Greg for the suggestion. Looked a bit at it, I am not sure if it
> is not a bit of an overkill for my small environment. I am now testing a
> bit with a plugin I made that creates iptables rules directly in the
> namespace. Just need to make it more 'dynamic'.
>
>
>
>
> -----Original Message-----
> From: Greg Langford [mailto:greg@langford.me]
> Sent: woensdag 24 juli 2019 16:54
> To: user@mesos.apache.org
> Subject: Re: Firewall options
>
> Use Calico as a CNI network, you can then use Calico to apply network
> policies.
>
> On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:
>
>
>
>
>         I am having a test setup with mesos and marathon, and playing now
> a
> bit
>         with haproxy. On vm's I am using  iptables to throttle brute force
> rdp
>         connections for instance.
>         What would be the advised way to apply this to the haproxy app?
>
>
>
>
>
>
>
>
>
>

RE: Firewall options

[Marc Roos <M....@f1-outsourcing.eu>]

Thanks Greg for the suggestion. Looked a bit at it, I am not sure if it 
is not a bit of an overkill for my small environment. I am now testing a 
bit with a plugin I made that creates iptables rules directly in the 
namespace. Just need to make it more 'dynamic'.




-----Original Message-----
From: Greg Langford [mailto:greg@langford.me] 
Sent: woensdag 24 juli 2019 16:54
To: user@mesos.apache.org
Subject: Re: Firewall options

Use Calico as a CNI network, you can then use Calico to apply network 
policies.

On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:




	I am having a test setup with mesos and marathon, and playing now a 
bit 
	with haproxy. On vm's I am using  iptables to throttle brute force 
rdp 
	connections for instance. 
	What would be the advised way to apply this to the haproxy app?
	
	
	
	
	
	
	

Re: Firewall options

[Greg Langford <gr...@langford.me>]

Use Calico as a CNI network, you can then use Calico to apply network
policies.

On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:

>
>
> I am having a test setup with mesos and marathon, and playing now a bit
> with haproxy. On vm's I am using  iptables to throttle brute force rdp
> connections for instance.
> What would be the advised way to apply this to the haproxy app?
>
>
>
>
>
>
>