Chapter 19. Configure Firewall-as-a-Service (FWaaS)

1. Install the FWaaS packages:

# yum install openstack-neutron-fwaas python-neutron-fwaas

2. Enable the FWaaS plugin in the neutron.conf file:

service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin

3. Configure FWaaS in the fwaas_driver.ini file:

[fwaas]
driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
enabled = True

[service_providers]
service_provider = LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default

4. FWaaS management options are available in OpenStack dashboard. Enable this option in the local_settings.py file, usually located on the Controller node:

/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py
'enable_firewall' = True

5. Restart neutron-server to apply the changes.

# systemctl restart neutron-server

First create the firewall rules and create a policy to contain them, then create a firewall and apply the policy:

1. Create a firewall rule:

$ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny>

The CLI requires a protocol value. If the rule is protocol agnostic, the any value can be used.

2. Create a firewall policy:

$ neutron firewall-policy-create --firewall-rules "<firewall-rule IDs or names separated by space>" myfirewallpolicy

The order of the rules specified above is important. You can create an empty firewall policy and add rules later, either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule).

Note: FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

$ neutron firewall-create <firewall-policy-uuid>

The firewall remains in PENDING_CREATE state until an OpenStack Networking router is created, and an interface is attached.