{"id":215,"date":"2017-02-24T01:27:27","date_gmt":"2017-02-24T00:27:27","guid":{"rendered":"http:\/\/hentati.org\/?p=215"},"modified":"2020-12-06T20:53:19","modified_gmt":"2020-12-06T19:53:19","slug":"configure-firewall-as-a-service-fwaas","status":"publish","type":"post","link":"https:\/\/hentati.org\/index.php\/2017\/02\/24\/configure-firewall-as-a-service-fwaas\/","title":{"rendered":"Configure FIREWALL-AS-A-SERVICE (FWAAS)"},"content":{"rendered":"

The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to OpenStack Networking (neutron). FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall policy and logical firewall instance per project.<\/span><\/p>\n

FWaaS operates at the perimeter by filtering traffic at the OpenStack Networking (neutron) router. This distinguishes it from security groups, which operate at the instance level.<\/span><\/p>\n

NOTE<\/strong><\/span>
\nFWaaS is currently in technical preview; untested operation is not recommended.<\/span><\/p>\n

The example diagram below illustrates the flow of ingress and egress traffic for the VM2 instance:<\/span><\/p>\n

\"\"<\/span><\/p>\n

Figure 1. FWaaS architecture<\/em><\/span><\/p>\n

 <\/p>\n

I-Enable FWaaS<\/strong><\/span><\/h3>\n
    \n
  1. Install the FWaaS packages:<\/span><\/li>\n<\/ol>\n
    # yum install openstack-neutron-fwaas python-neutron-fwaas<\/span><\/pre>\n
      \n
    1. Enable the FWaaS plugin in the\u00a0neutron.conffile:<\/span><\/li>\n<\/ol>\n
      service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin<\/span><\/pre>\n
        \n
      1. Configure FWaaS in the\u00a0fwaas_driver.inifile:<\/span><\/li>\n<\/ol>\n
        [fwaas]<\/span>\r\n\r\ndriver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver<\/span>\r\n\r\nenabled = True<\/span>\r\n\r\n[service_providers]<\/span>\r\n\r\nservice_provider = LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default<\/span><\/pre>\n
          \n
        1. FWaaS management options are available in OpenStack dashboard. Enable this option in the\u00a0local_settings.pyfile, usually located on the Controller node:<\/span><\/li>\n<\/ol>\n
          \/usr\/share\/openstack-dashboard\/openstack_dashboard\/local\/local_settings.py<\/span>\r\n\r\n'enable_firewall' = True<\/span><\/pre>\n
            \n
          1. Restart\u00a0neutron-serverto apply the changes.<\/span><\/li>\n<\/ol>\n
            # systemctl restart neutron-server<\/span><\/pre>\n
             <\/p>\n
            II-Configure FWaaS<\/strong><\/span><\/h3>\n
            First create the firewall rules and create a policy to contain them, then create a firewall and apply the policy:<\/span><\/p>\n
              \n
            1. Create a firewall rule:<\/span><\/li>\n<\/ol>\n
              $ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny><\/span><\/pre>\n
              The CLI requires a protocol value; if the rule is protocol agnostic, the\u00a0any<\/em>\u00a0value can be used.<\/span><\/p>\n
                \n
              1. Create a firewall policy:<\/span><\/li>\n<\/ol>\n
                $ neutron firewall-policy-create --firewall-rules \"<firewall-rule IDs or names separated by space>\" myfirewallpolicy<\/span><\/pre>\n
                The order of the rules specified above is important. You can create an empty firewall policy and add rules later, either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule).<\/span><\/p>\n
                Note:<\/strong>\u00a0FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.<\/span><\/p>\n
                 <\/p>\n
                III-Create a firewall<\/strong><\/span><\/h3>\n
                $ neutron firewall-create <firewall-policy-uuid><\/span><\/pre>\n
                The firewall remains in PENDING_CREATE state until an OpenStack Networking router is created, and an interface is attached.<\/span><\/p>\n
                 <\/p>\n
                IV-Allowed-address-pairs<\/strong><\/span><\/h3>\n
                Allowed-address-pairs allow you to specify mac_address\/ip_address (CIDR) pairs that pass through a port regardless of subnet. This enables the use of protocols such as VRRP, which floats an IP address between two instances to enable fast data plane failover.<\/span><\/p>\n
                NOTE<\/strong><\/span><\/p>\n
                The allowed-address-pairs extension is currently only supported by these plug-ins: ML2, Open vSwitch, and VMware NSX.<\/span><\/p>\n
                  \n
                1. Basic allowed-address-pairs operations<\/span><\/li>\n<\/ol>\n
                  Create a port with a specific allowed-address-pairs:<\/span><\/p>\n
                  # neutron port-create net1 --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr><\/span><\/pre>\n
                    \n
                  1. Adding allowed-address-pairs<\/span><\/li>\n<\/ol>\n
                    # neutron port-update <port-uuid> --allowed-address-pairs type=dict list=true mac_address=<mac_address>,ip_address=<ip_cidr><\/span><\/pre>\n
                    NOTE<\/strong><\/span><\/p>\n
                    OpenStack Networking prevents setting an allowed-address-pair that matches the\u00a0mac_address<\/strong>\u00a0and\u00a0ip_address<\/strong>\u00a0of a port. This is because such a setting would have no effect since traffic matching the\u00a0mac_address<\/strong>\u00a0and\u00a0ip_address<\/strong>\u00a0is already allowed to pass through the port.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"
                    The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to OpenStack Networking (neutron). FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall …<\/p>\n","protected":false},"author":1,"featured_media":224,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,6],"tags":[],"_links":{"self":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/215"}],"collection":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/comments?post=215"}],"version-history":[{"count":9,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/215\/revisions"}],"predecessor-version":[{"id":649,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/posts\/215\/revisions\/649"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media\/224"}],"wp:attachment":[{"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/media?parent=215"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/categories?post=215"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hentati.org\/index.php\/wp-json\/wp\/v2\/tags?post=215"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}