Explain how to use firewall in tripleo

Many customers are asking to setup firewall rules to allow monitoring solution
or add restriction.

This is tested and works on newton.

Change-Id: Id7022b55be1cdcb61b3b7f018a3c240c56e8b8d5
Signed-off-by: Cyril Lopez <cylopez@redhat.com>

doc/source/advanced_deployment/security_hardening.rst

@@ -125,4 +125,79 @@ Rules can be declared using an enviroment file and injected into
           content: '-w /etc/selinux/ -p wa -k MAC-policy'
           order  : 3
 
+Firewall Management
+-------------------
 
+iptables rules are automatically deployed on overcloud nodes to open only the
+ports which are needed to get OpenStack working. Rules can be added during the
+deployement when is needed. For example, for Zabbix monitoring system::
+
+    parameter_defaults:
+      ControllerExtraConfig:
+        tripleo::firewall::firewall_rules:
+          '301 allow zabbix':
+            dport: 10050
+            proto: tcp
+            source: 10.0.0.8
+            action: accept
+
+Rules can also be used to restrict access. The number used at definition of a
+rule will determine where the iptables rule will be inserted. For example,
+rabbitmq rule number is 109 by default. If you want to restrain it, you can do::
+
+    parameter_defaults:
+      ControllerExtraConfig:
+        tripleo::firewall::firewall_rules:
+          '098 allow rabbit from internalapi network':
+            dport: [4369,5672,25672]
+            proto: tcp
+            source: 10.0.0.0/24
+            action: accept
+          '099 drop other rabbit access':
+            dport: [4369,5672,25672]
+            proto: tcp
+            action: drop
+
+In this example, 098 and 099 are arbitrarily chosen numbers that are smaller than
+the rabbitmq rule number 109. To know the number of a rule, you can inspect
+the iptables rule on the appropriate node (controller, in case of rabbitmq)::
+
+    iptables-save
+    [...]
+    -A INPUT -p tcp -m multiport --dports 4369,5672,25672 -m comment --comment "109 rabbitmq" -m state --state NEW -j ACCEPT
+
+Alternatively it's possible to get the information in tripleo service in the
+definition. In our case in `puppet/services/rabbitmq.yaml`::
+
+    tripleo.rabbitmq.firewall_rules:
+      '109 rabbitmq':
+        dport:
+          - 4369
+          - 5672
+          - 25672
+
+The following parameters can be set for a rule:
+
+* **port**: The port associated to the rule. Deprecated by puppetlabs-firewall.
+
+* **dport**: The destination port associated to the rule.
+
+* **sport**: The source port associated to the rule.
+
+* **proto**: The protocol associated to the rule. Defaults to 'tcp'
+
+* **action**: The action policy associated to the rule. Defaults to 'accept'
+
+* **jump**: The chain to jump to.
+
+* **state**: Array of states associated to the rule. Default to ['NEW']
+
+* **source**: The source IP address associated to the rule.
+
+* **iniface**: The network interface associated to the rule.
+
+* **chain**: The chain associated to the rule. Default to 'INPUT'
+
+* **destination**: The destination cidr associated to the rule.
+
+* **extras**: Hash of any additional parameters supported by the puppetlabs-firewall module.