neutron/doc/source/admin/fwaas-v1-scenario.rst

Firewall-as-a-Service (FWaaS) v1 scenario

Enable FWaaS v1

FWaaS management options are also available in the Dashboard.

1. Enable the FWaaS plug-in in the /etc/neutron/neutron.conf file:

   service_plugins = firewall
   
   [service_providers]
   # ...
   service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
   
   [fwaas]
   driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
   enabled = True

   Note

   On Ubuntu, modify the [fwaas] section in the /etc/neutron/fwaas_driver.ini file instead of /etc/neutron/neutron.conf.

2. Configure the FWaaS plugin for the L3 agent.

   In the AGENT section of l3_agent.ini, make sure the FWaaS extension is loaded:

   [AGENT]
   extensions = fwaas

   Edit the FWaaS section in the /etc/neutron/neutron.conf file to indicate the agent version and driver:

   [fwaas]
   agent_version = v1
   driver = iptables
   enabled = True
   conntrack_driver = conntrack

3. Create the required tables in the database:

   # neutron-db-manage --subproject neutron-fwaas upgrade head

4. Enable the option in the local_settings.py file, which is typically located on the controller node:

   OPENSTACK_NEUTRON_NETWORK = {
       # ...
       'enable_firewall' = True,
       # ...
   }

   Note

   By default, enable_firewall option value is True in local_settings.py file.

   Apply the settings by restarting the web server.

5. Restart the neutron-l3-agent and neutron-server services to apply the settings.

Configure Firewall-as-a-Service v1

Create the firewall rules and create a policy that contains them. Then, create a firewall that applies the policy.

1. Create a firewall rule:

   $ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
     --source-ip-address SOURCE_IP_ADDRESS \
     --destination-ip-address DESTINATION_IP_ADDRESS \
     --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
     --action {allow,deny,reject}

   The Networking client requires a protocol value. If the rule is protocol agnostic, you can use the any value.

   Note

   When the source or destination IP address are not of the same IP version (for example, IPv6), the command returns an error.

2. Create a firewall policy:

   $ neutron firewall-policy-create --firewall-rules \
     "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy

   Separate firewall rule IDs or names with spaces. The order in which you specify the rules is important.

   You can create a firewall policy without any rules and add rules later, as follows:

   • To add multiple rules, use the update operation.
   • To add a single rule, use the insert-rule operation.

   For more details, see Networking command-line client in the OpenStack Command-Line Interface Reference.

   Note

   FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

3. Create a firewall:

   $ neutron firewall-create FIREWALL_POLICY_UUID

   Note

   The firewall remains in PENDING_CREATE state until you create a Networking router and attach an interface to it.