Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 18. Configuring Firewall-as-a-Service (FWaaS)

18.1. Overview of firewall-as-a-service (FWaaS)
Copier lien

The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to OpenStack Networking (neutron). FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall policy and logical firewall instance for each project.

FWaaS operates at the perimeter by filtering traffic at the OpenStack Networking (neutron) router. This distinguishes FWaaS from security groups, which operate at the instance level.

Note

FWaaS is currently in Technology Preview; untested operation is not recommended. FWaaS is not available in future releases.

The following example diagram illustrates the flow of ingress and egress traffic for the VM2 instance:

fwaas
View larger image
fwaas

Figure 1. FWaaS architecture

18.2. Enabling firewall-as-a-service (FWaaS)
Copier lien

  1. Install the FWaaS packages: 

    # dnf install openstack-neutron-fwaas python-neutron-fwaas
    Copy to Clipboard Toggle word wrap

  2. Enable the FWaaS plugin in the /var/lib/config-data/neutron/etc/neutron/neutron.conf file: 

    service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin
    Copy to Clipboard Toggle word wrap

  3. Configure FWaaS in the fwaas_driver.ini file: 

    [fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

[service_providers]
service_provider = LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
    Copy to Clipboard Toggle word wrap

  4. Enable the FWaaS dashboard management option in the local_settings.py file, usually located on the Controller node: 

    /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py
'enable_firewall' = True
    Copy to Clipboard Toggle word wrap

  5. Restart neutron-server to apply the changes. 

    # systemctl restart neutron-server
    Copy to Clipboard Toggle word wrap

18.3. Configuring firewall-as-a-service (FWaaS)
Copier lien

First, create the firewall rules and create a policy to contain them, then create a firewall and apply the policy:

  1. Create a firewall rule: 

    $ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny>
    Copy to Clipboard Toggle word wrap

    The CLI requires a protocol value. If the rule is protocol agnostic, you can use the value any.

  2. Create a firewall policy: 

    $ neutron firewall-policy-create --firewall-rules "<firewall-rule IDs or names separated by space>" myfirewallpolicy
    Copy to Clipboard Toggle word wrap

    The order of the rules that you specify in the neutron firewall-policy-create command is important. You can create an empty firewall policy and add rules later, either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule).

Note

FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

18.4. Creating firewalls
Copier lien

  • Use the openstack security group create command, to create a firewall: 

    $ openstack security group create <firewall-policy-uuid>
    Copy to Clipboard Toggle word wrap

The firewall remains in PENDING_CREATE state until you create an OpenStack Networking router and attach an interface.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat