FWaaS: firewall placement and default rules

asked 2014-02-19 04:40:05 -0600

Mathias Ewald gravatar image

Hi, I tried the FWaaS extension to neutron yesterday and a few questions popped up:

  1. I can only create a single firewall for a tenant / project and cannot configure where the firewall sits. So my question is: Where does the firewall filter packets? All routers to provider networks? Only first router to provider networks? All routers even between tenant networks only?

  2. It seems I cannot have a firewall use more than one policy. So I wonder why policies are actually there!? Like this I could just add rules to the firewall directly instead of placing this abstraction of a policy in between. (A more architectural question)

  3. What is the default target for a firewall? Accept? Drop?

cheers Mathias

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-02-19 10:37:33 -0600

SamYaple gravatar image

Question 1 " This reference implementation supports one firewall policy and consequently one logical firewall instance for each tenant. This is not a constraint of the resource model, but of the current reference implementation. The firewall is present on a Networking virtual router. If a tenant has multiple routers, the firewall is present on all the routers. "

One firewall that applies to all routers is the current model. I believe this has changed in Icehouse to a firewall per router, but I am not sure about that.

Question 2 This relates to point one. FWaaS and VPNaaS are marked "experimental" in the Havana release. They are not fully flushed out feature wise. This is more of a base for the api to be built around. It has only very limited functionality.

Question 3 From testing, this appears that the default rule is Accept. An explict DROP statement should be added as best practice. Again, this limitation is with the current implementation, not the underlying tools.

edit flag offensive delete link more


Thanks for the reply, Sam! I did some ping testing in several constelations, too. Here is what I found out: Without any firewall, everything is open. Piece of cake. With a firewall configured but without any rules in the policy, my instance cannot talk to the provider network anymore and of course vice versa. Also, a connection to another instance behind a tenant router (between two tenant networks) are blocked. So it seems like the default for a firewall without any rules is DROP. Now I added a rule to allow ICMP and the connection to that other instance behind the tenant router works again. Still the path to the provider network is completely blocked. Nothing in nothing out. This is true for floating IPs, too. Can anyone explain this behavior?

Mathias Ewald gravatar imageMathias Ewald ( 2014-02-20 06:42:03 -0600 )edit

hi guys, I created two tenant. TenantA i created the firewall icmp rule as deny action. I launched two instances from tenantA and tenantB. Unable to ping both instances from router or dhcp, its work fine. But unable to ssh the both instances. I want to create another rule called tcp in tenantA only.

rajcoumar gravatar imagerajcoumar ( 2014-12-26 05:06:45 -0600 )edit

but it doesnt allow to create another firewall rule. So i created under the tenantB. But it looks the tenantA firewall rule only. I want to create multiple firewall rules within a tenantA

rajcoumar gravatar imagerajcoumar ( 2014-12-26 05:08:01 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-02-19 04:40:05 -0600

Seen: 454 times

Last updated: Feb 19 '14