1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
Firewall-as-a-Service (FWaaS) v2 scenario
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.. note::
Firewall v2 has no support for OVN currently.
Enable FWaaS v2
---------------
#. Enable the FWaaS plug-in in the ``/etc/neutron/neutron.conf`` file:
.. code-block:: ini
service_plugins = firewall_v2
[service_providers]
# ...
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
[fwaas]
agent_version = v2
driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver
enabled = True
.. note::
On Ubuntu and Centos, modify the ``[fwaas]`` section in the
``/etc/neutron/fwaas_driver.ini`` file instead of
``/etc/neutron/neutron.conf``.
#. Configure the FWaaS plugin for the L3 agent.
In the ``AGENT`` section of ``l3_agent.ini``, make sure the FWaaS v2
extension is loaded:
.. code-block:: ini
[AGENT]
extensions = fwaas_v2
#. Configure the ML2 plugin agent extension.
Add the following statements to ``ml2_conf.ini``, this file is usually
located at ``/etc/neutron/plugins/ml2/ml2_conf.ini``:
.. code-block:: ini
[agent]
extensions = fwaas_v2
[fwaas]
firewall_l2_driver = noop
#. Create the required tables in the database:
.. code-block:: console
# neutron-db-manage --subproject neutron-fwaas upgrade head
#. Restart the ``neutron-l3-agent``, ``neutron-openvswitch-agent`` and
``neutron-server`` services to apply the settings.
Configure Firewall-as-a-Service v2
----------------------------------
Create the firewall rules and create a policy that contains them.
Then, create a firewall that applies the policy.
#. Create a firewall rule:
.. code-block:: console
$ openstack firewall group rule create --protocol {tcp,udp,icmp,any} \
--source-ip-address SOURCE_IP_ADDRESS \
--destination-ip-address DESTINATION_IP_ADDRESS \
--source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
--action {allow,deny,reject}
The Networking client requires a protocol value. If the rule is protocol
agnostic, you can use the ``any`` value.
.. note::
When the source or destination IP address are not of the same IP
version (for example, IPv6), the command returns an error.
#. Create a firewall policy:
.. code-block:: console
$ openstack firewall group policy create --firewall-rule \
"FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
Separate firewall rule IDs or names with spaces. The order in which you
specify the rules is important.
You can create a firewall policy without any rules and add rules later,
as follows:
* To add multiple rules, use the update operation.
* To add a single rule, use the insert-rule operation.
For more details, see `Networking command-line client
<https://docs.openstack.org/cli-reference/neutron.html>`_
in the OpenStack Command-Line Interface Reference.
.. note::
FWaaS always adds a default ``deny all`` rule at the lowest precedence
of each policy. Consequently, a firewall policy with no rules blocks
all traffic by default.
#. Create a firewall group:
.. code-block:: console
$ openstack firewall group create --ingress-firewall-policy \
"FIREWALL_POLICY_IDS_OR_NAMES" --egress-firewall-policy \
"FIREWALL_POLICY_IDS_OR_NAMES" --port "PORT_IDS_OR_NAMES"
Separate firewall policy IDs or names with spaces. The direction in which you
specify the policies is important.
.. note::
The firewall remains in PENDING\_CREATE state until you create a
Networking router and attach an interface to it.
|
