design: add section on firewall management

This summarizes firewalling directions, as discussed in coreos#26
lucab · Jan 2, 2019 · 1f18934 · 1f18934
1 parent 6c75d0c
commit 1f18934
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/Design.md b/Design.md
@@ -162,6 +162,18 @@ Originally discussed in [#21](https://github.com/coreos/fedora-coreos-tracker/is
 We will identify a Fedora CoreOS server using the `ID=fedora` and `VARIANT_ID=coreos`
 fields in the `/etc/os-release` file.
 
+## Firewall management
+
+Originally discussed in [#26](https://github.com/coreos/fedora-coreos-tracker/issues/26).
+
+### Summary:
+
+ - FCOS will ship without any ad-hoc filtering rules. By default, nodes will boot without firewall.
+ - Kernel- and user-space components will be provided for both iptables and nft.
+ - It will be possible to set up static rules (i.e. immutable for the whole node lifetime) via Ignition.
+ - Dynamic rules (i.e. mutable at runtime) are out of scope for FCOS.
+   Container runtimes and orchestrators take ownership of those via their own (containerized) rules managers.
+
 ## Cloud Agents
 
 Originally discussed in [#12](https://github.com/coreos/fedora-coreos-tracker/issues/12).