Re: CloudFoundry PCI-DSS compliance issue?
|
David McClure
Because if iptables rules applied at VM level's intranet IP, thenfiltering rules would have affected other apps on the same VM? Or it works in some other different way? In the "batteries included" implementation of cf-networking, policy enforcement is still done with iptables on the host VM, but policies are defined based on whitelist rules that allow AppA to reach AppB. The way it works is that traffic leaving AppA is tagged with and ID using an iptables mark rule. On the destination VM, a corresponding allow rule is written to iptables that allows traffic tagged with that ID. Our main repo is here is you want to poke around more: https://github.com/cloudfoundry-incubator/cf-networking-release And as Daniel mentioned​, we can discuss the details more with you if you have specific questions in our Slack channel (most of the team is in the US/Pacific time zone). Cheers, Dave On Apr 4, 2017 3:03 AM, "Daniel Jones" <daniel.jones(a)engineerbetter.com> wrote: Hi, iptables is used when Container Networking is *not* available. If you're using Container Networking, you might want to ask the folks that are writing it on cloudfoundry.slack.com in the #container-networking channel. Regards, Daniel Jones - CTO +44 (0)79 8000 9153 <+44%207980%20009153> @DanielJonesEB <https://twitter.com/DanielJonesEB> *EngineerBetter* Ltd <http://www.engineerbetter.com> - UK Cloud Foundry Specialists On 4 April 2017 at 09:07, Sze Siong Teo <szesiong(a)gmail.com> wrote: Hi Daniel,Application Security Groups are implemented via iptables on the host CellVMs, and not in the containers. |
|
|