Change-Id: I8813efac46ff3d2a93933c3025bf5490d21cd622 Closes-bug: #2009832
4.7 KiB
Firewall-as-a-Service (FWaaS) v2 scenario
Note
Firewall v2 has no support for OVN currently.
Installation of FWaaS v2
If possible, you should rely on packages provided by your Linux and/or OpenStack distribution:
- For example for Ubuntu you can install the
neutron-fwaas-common
package provided by Canonical.
Warning
Always check the version of the available package and check the releases on https://releases.openstack.org/
If you use pip
, follow these steps to install
neutron-fwaas:
identify the version of the neutron-fwaas package that matches your OpenStack version:
- 2023.1 Antelope: latest 18.0.x version
- Zed: latest 17.0.x version
indicate pip to (a) install precisely this version and (b) take into account OpenStack upper constraints on package versions for dependencies (example for Antelope):
pip install -c https://opendev.org/openstack/requirements/raw/branch/stable/2023.1/upper-constraints.txt neutron-fwaas==18.0.0
Enable FWaaS v2
Enable the FWaaS plug-in in the
/etc/neutron/neutron.conf
file:service_plugins = firewall_v2 [service_providers] # ... service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default [fwaas] agent_version = v2 driver = neutron_fwaas.services.firewall.service_drivers.agents.drivers.linux.iptables_fwaas_v2.IptablesFwaasDriver enabled = True
Note
On Ubuntu and Centos, modify the
[fwaas]
section in the/etc/neutron/fwaas_driver.ini
file instead of/etc/neutron/neutron.conf
.Configure the FWaaS plugin for the L3 agent.
In the
AGENT
section ofl3_agent.ini
, make sure the FWaaS v2 extension is loaded:[AGENT] extensions = fwaas_v2
Configure the ML2 plugin agent extension.
Add the following statements to
ml2_conf.ini
, this file is usually located at/etc/neutron/plugins/ml2/ml2_conf.ini
:[agent] extensions = fwaas_v2 [fwaas] firewall_l2_driver = noop
Create the required tables in the database:
# neutron-db-manage --subproject neutron-fwaas upgrade head
Restart the
neutron-l3-agent
,neutron-openvswitch-agent
andneutron-server
services to apply the settings.
Configure Firewall-as-a-Service v2
Create the firewall rules and create a policy that contains them. Then, create a firewall that applies the policy.
Create a firewall rule:
$ openstack firewall group rule create --protocol {tcp,udp,icmp,any} \ --source-ip-address SOURCE_IP_ADDRESS \ --destination-ip-address DESTINATION_IP_ADDRESS \ --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \ --action {allow,deny,reject}
The Networking client requires a protocol value. If the rule is protocol agnostic, you can use the
any
value.Note
When the source or destination IP address are not of the same IP version (for example, IPv6), the command returns an error.
Create a firewall policy:
$ openstack firewall group policy create --firewall-rule \ "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy
Separate firewall rule IDs or names with spaces. The order in which you specify the rules is important.
You can create a firewall policy without any rules and add rules later, as follows:
- To add multiple rules, use the update operation.
- To add a single rule, use the insert-rule operation.
For more details, see Networking command-line client in the OpenStack Command-Line Interface Reference.
Note
FWaaS always adds a default
deny all
rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.Create a firewall group:
$ openstack firewall group create --ingress-firewall-policy \ "FIREWALL_POLICY_IDS_OR_NAMES" --egress-firewall-policy \ "FIREWALL_POLICY_IDS_OR_NAMES" --port "PORT_IDS_OR_NAMES"
Separate firewall policy IDs or names with spaces. The direction in which you specify the policies is important.
Note
The firewall remains in PENDING_CREATE state until you create a Networking router and attach an interface to it.