You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by Marc Roos <M....@f1-outsourcing.eu> on 2019/07/24 14:51:44 UTC
Firewall options
I am having a test setup with mesos and marathon, and playing now a bit
with haproxy. On vm's I am using iptables to throttle brute force rdp
connections for instance.
What would be the advised way to apply this to the haproxy app?
RE: Firewall options
Posted by Marc Roos <M....@f1-outsourcing.eu>.
Hey Greg, don't want to be stubborn, but this is what I have now, just
iptables rules on the netns.
{
"cniVersion": "0.3.1",
"name": "test-firewallnetns",
"plugins": [
{
"type": "macvtap",
"master": "eth1",
"ipam": {
"type": "host-local",
"subnet": "192.168.124.0/24",
"rangeStart": "192.168.124.170",
"rangeEnd": "192.168.124.179"
}
},
{
"type": "firewallnetns",
"dataDir": "/etc/mesos-cni",
"fwFiles": [ "default-policy", "allow-ping", "allow-ping-out" ],
"ipsets": [
{ "set": "blacklistweb", "hashtype": "hash:ip", "netmask": 24,
"hashsize": 4096 }
],
"policies": [
{ "chain": "INPUT", "policy": "ACCEPT" },
{ "chain": "OUTPUT", "policy": "ACCEPT" } ],
"rules": [
{ "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT0 -j
ACCEPT" },
{ "type": "A", "chain": "INPUT", "rule": "-p tcp --dport $PORT1 -j
ACCEPT" },
{ "type": "A", "chain": "INPUT", "rule": "-p tcp -m set
--match-set blacklistweb src -m multiport --dports 80,443 -j REJECT
--reject-with tcp-reset" }
]
}
]
}
https://github.com/f1-outsourcing/plugins/tree/hostrouteif/plugins/meta/firewallnetns#firewallnetns-chain-plugin-not-final-name
-----Original Message-----
To: user@mesos.apache.org
Subject: Re: Firewall options
Hey Marc,
It's not too complicated or over kill I don't think. At first I was of
the same opinion but am currently setting it up on a small development
environment. The benefit is that you can define network policies as code
and execute them using automation so if a CI tool like Jenkins is a part
of your stack you can programmatically tear down and rebuild avoiding
manual steps and helping make environment rebuilds consistent.
Cheers
Thanks Greg for the suggestion. Looked a bit at it, I am not sure
if it
is not a bit of an overkill for my small environment. I am now
testing a
bit with a plugin I made that creates iptables rules directly in
the
namespace. Just need to make it more 'dynamic'.
-----Original Message-----
To: user@mesos.apache.org
Subject: Re: Firewall options
Use Calico as a CNI network, you can then use Calico to apply
network
policies.
I am having a test setup with mesos and marathon, and
playing now a
bit
with haproxy. On vm's I am using iptables to throttle
brute force
rdp
connections for instance.
What would be the advised way to apply this to the haproxy
app?
Re: Firewall options
Posted by Greg Langford <gr...@langford.me>.
Hey Marc,
It's not too complicated or over kill I don't think. At first I was of the
same opinion but am currently setting it up on a small development
environment. The benefit is that you can define network policies as code
and execute them using automation so if a CI tool like Jenkins is a part of
your stack you can programmatically tear down and rebuild avoiding manual
steps and helping make environment rebuilds consistent.
Cheers
On Thu, 25 Jul 2019, 16:38 Marc Roos, <M....@f1-outsourcing.eu> wrote:
>
> Thanks Greg for the suggestion. Looked a bit at it, I am not sure if it
> is not a bit of an overkill for my small environment. I am now testing a
> bit with a plugin I made that creates iptables rules directly in the
> namespace. Just need to make it more 'dynamic'.
>
>
>
>
> -----Original Message-----
> From: Greg Langford [mailto:greg@langford.me]
> Sent: woensdag 24 juli 2019 16:54
> To: user@mesos.apache.org
> Subject: Re: Firewall options
>
> Use Calico as a CNI network, you can then use Calico to apply network
> policies.
>
> On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:
>
>
>
>
> I am having a test setup with mesos and marathon, and playing now
> a
> bit
> with haproxy. On vm's I am using iptables to throttle brute force
> rdp
> connections for instance.
> What would be the advised way to apply this to the haproxy app?
>
>
>
>
>
>
>
>
>
>
RE: Firewall options
Posted by Marc Roos <M....@f1-outsourcing.eu>.
Thanks Greg for the suggestion. Looked a bit at it, I am not sure if it
is not a bit of an overkill for my small environment. I am now testing a
bit with a plugin I made that creates iptables rules directly in the
namespace. Just need to make it more 'dynamic'.
-----Original Message-----
From: Greg Langford [mailto:greg@langford.me]
Sent: woensdag 24 juli 2019 16:54
To: user@mesos.apache.org
Subject: Re: Firewall options
Use Calico as a CNI network, you can then use Calico to apply network
policies.
On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:
I am having a test setup with mesos and marathon, and playing now a
bit
with haproxy. On vm's I am using iptables to throttle brute force
rdp
connections for instance.
What would be the advised way to apply this to the haproxy app?
Re: Firewall options
Posted by Greg Langford <gr...@langford.me>.
Use Calico as a CNI network, you can then use Calico to apply network
policies.
On Wed, 24 Jul 2019, 15:52 Marc Roos, <M....@f1-outsourcing.eu> wrote:
>
>
> I am having a test setup with mesos and marathon, and playing now a bit
> with haproxy. On vm's I am using iptables to throttle brute force rdp
> connections for instance.
> What would be the advised way to apply this to the haproxy app?
>
>
>
>
>
>
>