Feature Request: host firewall control on VSA

[mikeely]

While I appreciate that the firewall rules on the VSA are already pretty restrictive, we would really appreciate some deeper level of control. For example, if the only available place to put an EM server is on a public IP (as is, sadly, the current case for me), it would be great to restrict access to those ports which are kept open to a set of networks. Our case is odd, we'd need a /27 here, a /29 there, and so on. Safe bet other customers have similar needs, even for non-routable addresses where legal compliance issues are in play.

I think it would be pretty easy from a UI design perspective and probably easy to do programmatically - firewalld gives me hives as does every other attempt to do Windows-like behavior on Linux but I'm sure somebody there knows how to make it work.

[vnikiforov]

Hello, Mike,

Thank you, very interesting suggestion. Are we basically talking about a UI to control firewalld from Host Management Console?

[mikeely]

I suppose it would make the most sense to control it from the Host Management Console - let the security officer account manage the security features. Although maybe it shouldn't be in the Host Management Console, as that 100% requires web access over port 10443 and if there's one rule about firewalls that's consistent across all implementations it's that people will inevitably firewall themselves out of their system. This configuration needs to be at least capable of being reached from the physical host in some supportable way and I haven't yet seen how to access Host Management from that route.

In terms of function it should be pretty simple: firewalld already has the required ports configured, so the only function here would be to limit which IP addresses or CIDR ranges could access the system, very simple.

Here's an example of what I mean:


Add that along with needed documentation and helptext, feature added.

[vnikiforov]

Hello, Mike,

Thank you for the details. I have checked internally, and we already have this feature in the plans for future versions. I can't provide any ETAs at this point, though.

[mikeely]

Great. Hopefully soon!