Atom feed of this document
  
 

 Firewall-as-a-Service (FWaaS) overview

The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to Networking. FWaaS uses iptables to apply firewall policy to all Networking routers within a project. FWaaS supports one firewall policy and logical firewall instance per project.

Whereas security groups operate at the instance-level, FWaaS operates at the perimeter by filtering traffic at the neutron router.

[Note]Note

FWaaS is currently in technical preview; untested operation is not recommended.

The example diagram below illustrates the flow of ingress and egress traffic for the VM2 instance:

 

Figure 7.1. FWaaS architecture


Enable FWaaS. Enable the FWaaS plugin in the neutron.conf file:

service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin
[service_providers]
service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

FWaaS management options are available in OpenStack dashboard. Enable the option in the file typically located on the controller node: /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py

'enable_firewall' = True
 

Procedure 7.1. Configure Firewall-as-a-Service

First create the firewall rules and create a policy that contains them, then create a firewall that applies the policy:

  1. Create a firewall rule:

    $ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny>

    The CLI requires a protocol value; if the rule is protocol agnostic, the 'any' value can be used.

  2. Create a firewall policy:

    $ neutron firewall-policy-create --firewall-rules  "<firewall-rule IDs or names separated by space>" myfirewallpolicy

    The order of the rules specified above is important.You can create a firewall policy without and rules and add rules later either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule). Please check the CLI Reference for more details on these operations.

    [Note]Note

    FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

  3. Create a firewall:

    $ neutron firewall-create  <firewall-policy-uuid>
    [Note]Note

    The firewall remains in PENDING_CREATE state until a Networking router is created, and an interface is attached.

Allowed-address-pairs. 

Allowed-address-pairs allow you to specify mac_address/ip_address(cidr) pairs that pass through a port regardless of subnet. This enables the use of protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover.

[Note]Note

The allowed-address-pairs extension is currently only supported by these plug-ins: ML2, Open vSwitch, and VMware NSX.

Basic allowed-address-pairs operations. 

  • Create a port with a specific allowed-address-pairs:

    $ neutron port-create net1 --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr>
  • Update a port adding allowed-address-pairs:

    $ neutron port-update  <port-uuid> --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr>
[Note]Note

OpenStack Networking prevents setting an allowed-address-pair that matches the mac_address and ip_address of a port. This is because that would have no effect since traffic matching the mac_address and ip_address is already allowed to pass through the port.

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...