V-3851{1,2,3}, V-38686: IPv4 security controls

Mainly a documentation commit with one special case and three exceptions.

Implements: blueprint security-hardening

Change-Id: Ib9607f6df8aaed63b494a7f87af33cb7d3117f1d

doc/source/developer-notes/V-38511.rst

@@ -0,0 +1,5 @@
+**Special Case**
+
+Running virtual infrastructure requires IP forwarding to be enabled on various
+interfaces. The STIG allows for this, so long as the system is being operated
+as a router (as is the case for an OpenStack host).

doc/source/developer-notes/V-38512.rst

@@ -0,0 +1,10 @@
+**Exception**
+
+Although a minimal set of iptables rules are configured on openstack-ansible
+hosts, the "deny all" requirement of the STIG is not met. This is largely left
+up to the deployer to do, based on their assessment of their own network
+segmentation.
+
+Deployers are urged to review the network access controls that are applied
+on the network devices between their OpenStack environment and the rest of
+their network.

doc/source/developer-notes/V-38513.rst

@@ -0,0 +1 @@
+V-38512.rst

doc/source/developer-notes/V-38686.rst

@@ -0,0 +1 @@
+V-38512.rst