Disable external firewall for ildkule in openstack #286

New Issue

oysteikt · 2026-01-15T10:32:48+01:00

oysteikt commented

2026-01-15 10:32:48 +01:00

There seems to be some sort of invisible firewall outside of ildkule. Ildkule already has iptables active, so we don't need two layers of firewall.

(Note that I am not 100% sure that this is actually the case, but I'm having trouble connecting to allegedly open ports on ildkule, and I don't have access to openstack to verify it)

There seems to be some sort of invisible firewall outside of ildkule. Ildkule already has iptables active, so we don't need two layers of firewall. (Note that I am not 100% sure that this is actually the case, but I'm having trouble connecting to *allegedly open* ports on ildkule, and I don't have access to openstack to verify it)

oysteikt added the bug networking labels 2026-01-15 10:32:48 +01:00

oysteikt added this to the Kanban project 2026-01-15 10:32:48 +01:00

oysteikt added the openstack label 2026-01-15 10:39:36 +01:00

oysteikt moved this to High priority in Kanban on 2026-01-15 10:40:44 +01:00

felixalb commented

2026-01-15 21:55:15 +01:00

Using the OpenStack firewall is free real estate without using VM resources, and can't be changed by someone hacking into ildkule (publicly exposed grafana 💀), and I think we landed on doing it this way after discussing when setting it up. Unlike proxmox, where the firewall is annoying, the OpenStack one is nice, and I like it.

However, if someone wants to modify it, add some rules, or open up everything, there are guides

You also have to have an NTNU account, be in the something-something-openstack-pvv unix group (ask @danio), and be on some sort of NTNU network/ip range to access StackIT. This alone, and us not having NTNU accounts, might be a fair argument to open this up a bit.

Using the OpenStack firewall is free real estate without using VM resources, and can't be changed by someone hacking into ildkule (publicly exposed grafana 💀), and I think we landed on doing it this way after discussing when setting it up. Unlike proxmox, where the firewall is annoying, the OpenStack one is nice, and I like it. However, if someone wants to modify it, add some rules, or open up everything, there are guides - [here for cli](https://www.ntnu.no/wiki/spaces/skyhigh/pages/99616262/Using+the+commandline+clients#Usingthecommandlineclients-Openupthefirewall) - [here for webui](https://www.ntnu.no/wiki/spaces/skyhigh/pages/98079250/Using+the+webinterface#Usingthewebinterface-Openupthefirewall) You also have to have an NTNU account, be in the something-something-openstack-pvv unix group (ask @danio), and be on some sort of NTNU network/ip range to access StackIT. This alone, and us not having NTNU accounts, might be a fair argument to open this up a bit.

oysteikt commented

2026-01-15 23:51:39 +01:00

Could we at the very least allow unconditional traffic from PVV's IPv4 and IPv6 space? The firewall can be as nice as it wants to, but it doesn't matter if neither of us have access to it.

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Drift/issues#286