此内容没有您所选择的语言版本。

Chapter 18. Configuring Firewall-as-a-Service (FWaaS)


18.1. Overview of firewall-as-a-service (FWaaS)

The Firewall-as-a-Service (FWaaS) plug-in adds perimeter firewall management to OpenStack Networking (neutron). FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall policy and logical firewall instance for each project.

FWaaS operates at the perimeter by filtering traffic at the OpenStack Networking (neutron) router. This distinguishes FWaaS from security groups, which operate at the instance level.

Note

FWaaS is currently in Technology Preview; untested operation is not recommended. FWaaS is not available in future releases.

The following example diagram illustrates the flow of ingress and egress traffic for the VM2 instance:

fwaas

Figure 1. FWaaS architecture

18.2. Enabling firewall-as-a-service (FWaaS)

  1. Install the FWaaS packages:

    # dnf install openstack-neutron-fwaas python-neutron-fwaas
  2. Enable the FWaaS plugin in the /var/lib/config-data/neutron/etc/neutron/neutron.conf file:

    service_plugins = neutron.services.firewall.fwaas_plugin.FirewallPlugin
  3. Configure FWaaS in the fwaas_driver.ini file:

    [fwaas]
    driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
    enabled = True
    
    [service_providers]
    service_provider = LOADBALANCER:Haproxy:neutron_lbaas.services.loadbalancer.drivers.haproxy.plugin_driver.HaproxyOnHostPluginDriver:default
  4. Enable the FWaaS dashboard management option in the local_settings.py file, usually located on the Controller node:

    /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py
    'enable_firewall' = True
  5. Restart neutron-server to apply the changes.

    # systemctl restart neutron-server

18.3. Configuring firewall-as-a-service (FWaaS)

First, create the firewall rules and create a policy to contain them, then create a firewall and apply the policy:

  1. Create a firewall rule:

    $ neutron firewall-rule-create --protocol <tcp|udp|icmp|any> --destination-port <port-range> --action <allow|deny>

    The CLI requires a protocol value. If the rule is protocol agnostic, you can use the value any.

  2. Create a firewall policy:

    $ neutron firewall-policy-create --firewall-rules "<firewall-rule IDs or names separated by space>" myfirewallpolicy

    The order of the rules that you specify in the neutron firewall-policy-create command is important. You can create an empty firewall policy and add rules later, either with the update operation (when adding multiple rules) or with the insert-rule operations (when adding a single rule).

Note

FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.

18.4. Creating firewalls

  • Use the openstack security group create command, to create a firewall:

    $ openstack security group create <firewall-policy-uuid>

The firewall remains in PENDING_CREATE state until you create an OpenStack Networking router and attach an interface.

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.