Can K8s start the firewalld service with zone set to trusted?
I have an ICMP security vulnerability in my cluster and I need to turn on a firewall to restrict it. Can I enable the firewalld service with zone set to trusted?
For firewall zone pre-setting, I found the method here: firewall-offline-cmd
With firewall-offline-cmd you can set the firewall rules before firewalld is started.
Regarding the effect of starting firewalld on k8s, I have observed that the cluster nodes work fine after starting, and I think it works.I don’t know if it will be a problem in the future
Note: If you have used iptables to make some nat, or other rules on the cluster, then turning on the firewall will make them disappear
My vulnerability: ICMP timestamp request response vulnerability
I tested and found that this vulnerability can be solved without starting firewalld.service , just add the following rules and they will take effect immediately, or maybe just add them if they are short rules. You don’t need to start firewalld
You just need to remember that you have done these configurations before
┌──[root@vms152.liruilongs.github.io]-[~]
└─$iptables -A INPUT -p icmp --icmp-type 13 -j DROP
┌──[root@vms152.liruilongs.github.io]-[~]
└─$iptables -A OUTPUT -p icmp --icmp-type 14 -j DROP