- 
                Notifications
    You must be signed in to change notification settings 
- Fork 2
feat: add simple Firewall design #114
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Conversation
873a289    to
    f08bdd5      
    Compare
  
    f08bdd5    to
    8f8729f      
    Compare
  
    8f8729f    to
    ad10042      
    Compare
  
    Signed-off-by: Sergey Matov <[email protected]>
ad10042    to
    1f6aae8      
    Compare
  
    There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I note that the concept is very close to K8s' Network Policies. Have we considered making our API closer to these? I do understand they're different objects, but users might find the syntax easier to remember if they're already familiar with it?
One point in particular is that we currently define CIDRs under tcp -> src, for example; but it seems to me like it's more frequent to define access to multiple services for a given IP or CIDR, so this may lead to some duplication of the CIDRs involved. Wouldn't it make more sense to specify the CIDR first, then for this CIDR, to specify the protocol?
| ## Simple firewall implementation | ||
| VPC Firewall implies zero trust if firewall pattern is specified. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do I understand this right?:
- No firewallpolicy specified: all traffic allowed
- allowpolicy specified: all traffic denied, save for allowed patterns
- deny-only policy specified: all traffic denied
- allow+- denypolicies: traffic not matching allowed patterns is denied; traffic matching allowed patterns is allowed, except if it's explicitly denied by the- denypolicy, which always takes precedence
Is this correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. If there is deny only policy specified, allow should be added for any other traffic.
Also, order is defined by order in the API message.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. If there is
denyonly policy specified,allowshould be added for any other traffic.
Sounds good to me, thanks!
Also, order is defined by order in the API message.
This is more concerning to me. It sounds super-easy to enable by mistake the traffic you specifically wanted to deny, because a user didn't understand the significance of the order, or they got confused and mentally swapped the order, or did a copy-paste error and put the deny policy at the wrong place. Are we sure we need to nest multiple levels of allow and deny policies? Wouldn't a single level of allow + a preceding level of deny be safer (and easier) to use?
No description provided.