The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to Networking. FWaaS uses iptables to apply firewall policy to all Networking routers within a project. FWaaS supports one firewall policy and logical firewall instance per project.
Whereas security groups operate at the instance-level, FWaaS operates at the perimeter by filtering traffic at the neutron router.
Note | |
---|---|
FWaaS is currently in technical preview; untested operation is not recommended. |
The example diagram below illustrates the flow of ingress and egress traffic for the VM2 instance:
Enable FWaaS. Enable the FWaaS plugin in the neutron.conf
file:
service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin [service_providers] service_provider=LOADBALANCER:Haproxy:neutron.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default [fwaas] driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver enabled = True
FWaaS management options are available in OpenStack dashboard. Enable the option in the
file typically located on the controller node:
/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py
'enable_firewall' = True
Procedure 7.1. Configure Firewall-as-a-Service
First create the firewall rules and create a policy that contains them, then create a firewall that applies the policy:
Create a firewall rule:
$ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny>
The CLI requires a protocol value; if the rule is protocol agnostic, the 'any' value can be used.
Create a firewall policy:
$ neutron firewall-policy-create --firewall-rules "<firewall-rule IDs or names separated by space>" myfirewallpolicy
The order of the rules specified above is important.You can create a firewall policy without and rules and add rules later either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule). Please check the CLI Reference for more details on these operations.
Note FWaaS always adds a default
deny all
rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.Create a firewall:
$ neutron firewall-create <firewall-policy-uuid>
Note The firewall remains in PENDING_CREATE state until a Networking router is created, and an interface is attached.
Allowed-address-pairs.
Allowed-address-pairs
allow you to specify
mac_address/ip_address(cidr) pairs that pass through a port
regardless of subnet. This enables the use of protocols such as
VRRP, which floats an IP address between two instances to enable
fast data plane failover.
Note | |
---|---|
The allowed-address-pairs extension is currently only supported by these plug-ins: ML2, Open vSwitch, and VMware NSX. |
Basic allowed-address-pairs operations.
Create a port with a specific allowed-address-pairs:
$ neutron port-create net1 --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr>
Update a port adding allowed-address-pairs:
$ neutron port-update <port-uuid> --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr>
Note | |
---|---|
OpenStack Networking prevents setting an allowed-address-pair that matches the mac_address and ip_address of a port. This is because that would have no effect since traffic matching the mac_address and ip_address is already allowed to pass through the port. |