The primary commands associated with FWaaS in the Neutron CLI include:
firewall-createfirewall-deletefirewall-listfirewall-policy-createfirewall-policy-deletefirewall-policy-insert-rulefirewall-policy-listfirewall-policy-remove-rulefirewall-policy-showfirewall-policy-updatefirewall-rule-createfirewall-rule-deletefirewall-rule-listfirewall-rule-showfirewall-rule-updatefirewall-showfirewall-update
Like LBaaS, FWaaS requires a specific workflow to properly implement firewall policies. First, firewall rules must be created. Then, a firewall policy can be created that references firewall rules. Lastly, a firewall is created and associated with a firewall policy. Once a firewall policy is applied, the rules are immediately put in place on the routers associated with the firewall.
Firewall policies can be shared among tenants, which means that whenever a policy is updated, it results in the immediate updating of any firewall associated with the policy.
The first step in creating a firewall is to create one or more firewall rules that can be applied to a policy. Firewall rules are limited to layer 3 and layer 4 attributes, such as addresses and ports, and can be configured to allow or deny traffic based on these attributes.
To create a firewall rule in the CLI, use the Neutron firewall-create command, as follows:
usage: firewall-rule-create [--tenant-id TENANT_ID] [--name NAME] [--description DESCRIPTION] [--shared] [--source-ip-address SOURCE_IP_ADDRESS] [--destination-ip-address DESTINATION_IP_ADDRESS] [--source-port SOURCE_PORT] [--destination-port DESTINATION_PORT] [--enabled {True,False}] --protocol {tcp,udp,icmp,any} --action {allow,deny}
Here, the --tenant-id flag is optional and allows you to associate the firewall rule with the specified tenant.
The --name flag is optional and allows you to provide a name to the rule.
The --description flag is also optional and allows you to provide a description of the firewall rule.
The --shared flag is optional and allows the rule to be shared among other tenants.
The --source-ip-address flag is optional as well and allows you to specify the source host or network that the rule should apply to.
The --destination-ip-address flag is optional and allows you to specify the destination host or network that the rule should apply to.
The --source-port flag is optional and allows you to specify a source port or range of the ports that the rule should apply to. If you are specifying a range of ports, use a colon between the start and end ports.
The --destination-port flag is optional and allows you to specify a destination port or range of ports that the rule should apply to. If you are specifying a range of ports, use a colon between the start and end ports.
The --disabled flag is also optional and allows you to specify whether or not the rule is inserted into the firewall.
The --protocol flag is required and used to specify the type of traffic that the rule applies to. Possible options include tcp, udp, icmp, or others.
Finally, the --action flag is required and allows you to specify the action that takes place when the traffic matches the rule's criteria. Possible actions are allow or deny.
To delete a firewall rule in the CLI, use the Neutron firewall-rule-delete command, as follows:
usage: firewall-rule-delete FIREWALL_RULE
Here, the keyword FIREWALL_RULE is used to represent the ID of the firewall rule to be deleted.
To list all firewall rules within the CLI, use the Neutron firewall-rule-list command, as follows:
usage: firewall-rule-list
Here, the returned output includes the ID, name, summary, associated firewall policy, and status of firewall rules within the tenant.
To show the details of a firewall rule within the CLI, use the Neutron firewall-rule-show command, as follows:
usage: firewall-rule-show FIREWALL_RULE
The returned output includes the name, description, action, destination IP address, destination port, source IP address, source port, associated firewall policy, position, protocol, and tenant ID of the specified firewall rule.
Many of the attributes of a firewall rule are editable at any time. To update an attribute of a firewall rule in the CLI, use the Neutron firewall-rule-update command, as follows:
usage: firewall-rule-update [--description DESCRIPTION] [--shared] [--source-ip-address SOURCE_IP_ADDRESS] [--destination-ip-address DESTINATION_IP_ADDRESS] [--source-port SOURCE_PORT] [--destination-port DESTINATION_PORT] [--protocol {tcp,udp,icmp,any}] [--action {allow,deny}] FIREWALL_RULE
The next step in creating a firewall is to create a firewall policy that references one or more firewall rules.
To create a firewall policy, use the Neutron firewall-policy-create command, as follows:
usage: firewall-policy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--shared] [--firewall-rules FIREWALL_RULES] [--audited] NAME
Here, the --tenant-id flag is optional, and allows you to associate the firewall rule with the specified tenant.
The --description flag is optional and allows you to provide a description of the firewall policy.
The --shared flag is optional and allows the policy to be shared among other tenants. Before a policy can be shared, all associated firewall rules must be shared.
The --firewall-rules flag is also optional and is used to add firewall rules to the policy during creation. If multiple rules are specified, they should be enclosed in quotes and separated by spaces. In the following example, two firewall rules are added to the policy named EXAMPLE_POLICY during its creation:
(neutron) firewall-policy-create --firewall-rules "a7a03a5f-ecda-4471-92db-7a1c708e20e1 a9dd1195-f6d9-4942-b76a-06ff3bac32e8" EXAMPLE_POLICY
Finally, the --audited flag is optional and is used to reflect whether or not a policy is audited by an external resource. There are no audit logs or auditing mechanisms within Neutron.
To delete a firewall policy within the CLI, use the Neutron firewall-policy-delete command, as follows:
usage: firewall-policy-delete FIREWALL_POLICY
Here, the keyword FIREWALL_POLICY is used to represent the ID of the firewall policy to be deleted.
To list all firewall policies within a tenant in the CLI, use the Neutron firewall-policy-list command, as follows:
usage: firewall-policy-list
The returned output includes the ID, name, and firewall rules associated with the policies.
To show the details of a firewall policy in the CLI, use the Neutron firewall-policy-show command, as follows:
usage: firewall-policy-show FIREWALL_POLICY
The returned output includes the ID, name, description, tenant ID, audited status, and associated firewall rules of the specified policy.
To update the attributes of a firewall policy, use the Neutron firewall-policy-update command, as follows:
usage: firewall-policy-update FIREWALL_POLICY [--name NAME] [--description DESCRIPTION] [--shared] [--firewall-rules RULES]
Multiple rules should be enclosed in quotes and separated by a space.
Using the Neutron firewall-policy-insert-rule command, it is possible to insert firewall rules into an existing policy before or after the existing rules. The syntax to insert a rule into a policy is as follows:
usage: firewall-policy-insert-rule [--insert-before FIREWALL_RULE] [--insert-after FIREWALL_RULE] FIREWALL_POLICY FIREWALL_RULE
Here, the --insert-before flag is optional and allows you to insert a new firewall rule before the specified firewall rule.
The --insert-after flag is optional and allows you to insert a new firewall rule after the specified firewall rule.
The keyword FIREWALL_POLICY is used to represent the ID of the firewall policy to be updated.
Finally, the keyword FIREWALL_RULE is used to represent the ID of the firewall rule to be added to the policy.
Using the Neutron firewall-policy-remove-rule command, it is possible to remove firewall rules from a firewall policy. The syntax to remove a rule from a policy is as follows:
usage: firewall-policy-remove-rule FIREWALL_POLICY_ID FIREWALL_RULE_ID
The keyword FIREWALL_POLICY is used to represent the ID of the firewall policy to be updated.
The keyword FIREWALL_RULE is used to represent the ID of the firewall rule to be removed from the policy.
The last step in creating a firewall is to create a firewall object that references a single firewall policy and associate it with one or more routers.
To create a firewall within the CLI, use the Neutron firewall-create command, as follows:
usage: firewall-create [--tenant-id TENANT_ID][--name NAME] [--description DESCRIPTION][--shared] [--admin-state-down] POLICY [--router-ids list=true ROUTER]
Here, the --tenant-id flag is optional and allows you to associate the firewall with the specified tenant.
The --name flag is optional and allows you to provide a name for the firewall.
The --description flag is also optional and allows you to provide a description of the firewall.
The --admin-state-down flag is optional and allows you to create the firewall in a DOWN state. In a DOWN state, firewall rules are not applied.
The keyword POLICY is used to represent the ID of the policy that should be applied to the firewall. Firewalls are limited to a single policy.
The –router-ids flag is optional and allows you to associate the firewall with one or more routers. Finally, The keyword ROUTER is used to represent the ID of a router that should be associated with the firewall. To specify more than one router, use a space to separate the router IDs.
To delete a firewall within the CLI, use the Neutron firewall-delete command, as follows:
usage: firewall-delete FIREWALL
Here, the keyword FIREWALL is used to represent the ID of the firewall to be deleted.
To list all firewalls within a tenant in the CLI, use the Neutron firewall-list command as follows:
usage: firewall-list
The returned output includes a list of firewalls containing the ID, name, and associated firewall policy for each firewall within the tenant.
To show the details of a firewall within the CLI, use the Neutron firewall-show command as follows:
Syntax: firewall-show FIREWALL
The output returned includes the ID, admin state, name, description, status, tenant ID, associated firewall policy, and associated routers of the specified firewall.
To update the attributes of a firewall within the CLI, use the Neutron firewall-update command, as follows:
usage: firewall-update FIREWALL [--name NAME] [--firewall-policy-id FIREWALL_POLICY_ID] [--admin-state-up]
Here, the keyword FIREWALL is required and used to represent the ID of the firewall to be updated.
The --name flag is optional and allows you to update the name of the firewall.
The --firewall-policy-id flag is also optional and allows you to associate a different policy with the firewall.
The --admin-state-up flag is a Boolean that, when set to FALSE, puts the firewall in a DOWN state. When a firewall is in a DOWN state, all rules are removed from the Neutron router.
Within the Horizon dashboard, the firewalls are managed in the Firewalls section under the Network tab:
Figure 11.1
In the dashboard, the workflow to create functional firewalls is similar to that in the CLI. First, the firewall rules must be created, then a firewall policy, and lastly, the firewall itself.
To create a firewall rule, perform the following steps:
- Click on Firewalls under the Network menu within the Project screen. In the Firewall Rules tab, click on the Add Rule button in the upper right-hand corner of the screen. A window will appear that allows you to create a firewall rule:
Figure 11.2
- From within this window, you can specify source and destination addresses, source and destination ports, the protocol, and the desired action—ALLOW or DENY. To create the rule, click on the blue Add button. The rule will be listed on the main Firewalls page under Firewall Rules, as shown in the following screenshot:
Figure 11.3
To create a firewall policy, perform the following steps:
- To create a firewall policy that will contain the rule(s), click on the Add Policy button within the Firewall Policies tab. A window will appear that allows you to create a firewall policy:
Figure 11.4
- Click on the Rules tab to insert rules into the policy:
Figure 11.5
- Use the up and down arrows to order the rules if you are adding more than one. Once the desired rules are moved from the Available Rules section to the Selected Rules section, click on the blue Add button to complete the policy creation process.
- The resulting policy will be listed on the main Firewalls page under Firewall Policies, as shown in the following screenshot:
Figure 11.6
To create a firewall, perform the following steps:
- From the Firewalls tab, click on the Create Firewall button in the upper right-hand corner of the screen. A window will appear that allows you to create a firewall:
Figure 11.7
- Click on the Routers tab to associate the firewall with a router:
Figure 11.8
- To associate the firewall with a router, move the router from the Available Routers section to the Selected Routers section. Click on the blue Add button to complete the firewall creation process.
- The resulting firewall will be listed on the main Firewalls page under Firewall, as shown in the following screenshot:
Figure 11.9