neutron/doc/source/admin/fwaas-v1-scenario.rst
miaoyuliang e5e82f4754 Fix fwaas v1 configuration doc
Modify the fwaas v1 config about  driver

Change-Id: Id6821174a15838713435a499a258f6d37a9cad2a
Closes-Bug: #1777547
(cherry picked from commit fe4bec7991)
2018-07-20 10:49:12 +00:00

3.6 KiB

Firewall-as-a-Service (FWaaS) v1 scenario

Enable FWaaS v1

FWaaS management options are also available in the Dashboard.

  1. Enable the FWaaS plug-in in the /etc/neutron/neutron.conf file:

    service_plugins = firewall
    
    [service_providers]
    # ...
    service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
    
    [fwaas]
    driver = iptables
    enabled = True

    Note

    On Ubuntu, modify the [fwaas] section in the /etc/neutron/fwaas_driver.ini file instead of /etc/neutron/neutron.conf.

  2. Configure the FWaaS plugin for the L3 agent.

    In the AGENT section of l3_agent.ini, make sure the FWaaS extension is loaded:

    [AGENT]
    extensions = fwaas

    Edit the FWaaS section in the /etc/neutron/neutron.conf file to indicate the agent version and driver:

    [fwaas]
    agent_version = v1
    driver = iptables
    enabled = True
    conntrack_driver = conntrack
  3. Create the required tables in the database:

    # neutron-db-manage --subproject neutron-fwaas upgrade head
  4. Enable the option in the local_settings.py file, which is typically located on the controller node:

    OPENSTACK_NEUTRON_NETWORK = {
        # ...
        'enable_firewall' = True,
        # ...
    }

    Note

    By default, enable_firewall option value is True in local_settings.py file.

    Apply the settings by restarting the web server.

  5. Restart the neutron-l3-agent and neutron-server services to apply the settings.

Configure Firewall-as-a-Service v1

Create the firewall rules and create a policy that contains them. Then, create a firewall that applies the policy.

  1. Create a firewall rule:

    $ neutron firewall-rule-create --protocol {tcp,udp,icmp,any} \
      --source-ip-address SOURCE_IP_ADDRESS \
      --destination-ip-address DESTINATION_IP_ADDRESS \
      --source-port SOURCE_PORT_RANGE --destination-port DEST_PORT_RANGE \
      --action {allow,deny,reject}

    The Networking client requires a protocol value. If the rule is protocol agnostic, you can use the any value.

    Note

    When the source or destination IP address are not of the same IP version (for example, IPv6), the command returns an error.

  2. Create a firewall policy:

    $ neutron firewall-policy-create --firewall-rules \
      "FIREWALL_RULE_IDS_OR_NAMES" myfirewallpolicy

    Separate firewall rule IDs or names with spaces. The order in which you specify the rules is important.

    You can create a firewall policy without any rules and add rules later, as follows:

    • To add multiple rules, use the update operation.
    • To add a single rule, use the insert-rule operation.

    For more details, see Networking command-line client in the OpenStack Command-Line Interface Reference.

    Note

    FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

  3. Create a firewall:

    $ neutron firewall-create FIREWALL_POLICY_UUID

    Note

    The firewall remains in PENDING_CREATE state until you create a Networking router and attach an interface to it.