The primary commands associated with FWaaS in the Neutron CLI include:
firewall-create
firewall-delete
firewall-list
firewall-policy-create
firewall-policy-delete
firewall-policy-insert-rule
firewall-policy-list
firewall-policy-remove-rule
firewall-policy-show
firewall-policy-update
firewall-rule-create
firewall-rule-delete
firewall-rule-list
firewall-rule-show
firewall-rule-update
firewall-show
firewall-update
Like LBaaS, FWaaS requires a specific workflow to properly implement firewall policies. First, firewall rules must be created. Then, a firewall policy can be created that references firewall rules. Lastly, a firewall is created and associated with a firewall policy. Once a firewall policy is applied, the rules are immediately put in place on the routers associated with the firewall.
Firewall policies can be shared among tenants, which means that whenever a policy is updated, it results in the immediate updating of any firewall associated with the policy.
The first step in creating a firewall is to create one or more firewall rules that can be applied to a policy. Firewall rules are limited to layer 3 and layer 4 attributes, such as addresses and ports, and can be configured to allow or deny traffic based on these attributes.
To create a firewall rule in the CLI, use the Neutron firewall-create
command, as follows:
usage: firewall-rule-create [--tenant-id TENANT_ID] [--name NAME] [--description DESCRIPTION] [--shared] [--source-ip-address SOURCE_IP_ADDRESS] [--destination-ip-address DESTINATION_IP_ADDRESS] [--source-port SOURCE_PORT] [--destination-port DESTINATION_PORT] [--enabled {True,False}] --protocol {tcp,udp,icmp,any} --action {allow,deny}
Here, the --tenant-id
flag is optional and allows you to associate the firewall rule with the specified tenant.
The --name
flag is optional and allows you to provide a name to the rule.
The --description
flag is also optional and allows you to provide a description of the firewall rule.
The --shared
flag is optional and allows the rule to be shared among other tenants.
The --source-ip-address
flag is optional as well and allows you to specify the source host or network that the rule should apply to.
The --destination-ip-address
flag is optional and allows you to specify the destination host or network that the rule should apply to.
The --source-port
flag is optional and allows you to specify a source port or range of the ports that the rule should apply to. If you are specifying a range of ports, use a colon between the start and end ports.
The --destination-port
flag is optional and allows you to specify a destination port or range of ports that the rule should apply to. If you are specifying a range of ports, use a colon between the start and end ports.
The --disabled
flag is also optional and allows you to specify whether or not the rule is inserted into the firewall.
The --protocol
flag is required and used to specify the type of traffic that the rule applies to. Possible options include tcp
, udp
, icmp
, or others.
Finally, the --action
flag is required and allows you to specify the action that takes place when the traffic matches the rule's criteria. Possible actions are allow
or deny
.
To delete a firewall rule in the CLI, use the Neutron firewall-rule-delete
command, as follows:
usage: firewall-rule-delete FIREWALL_RULE
Here, the keyword FIREWALL_RULE
is used to represent the ID of the firewall rule to be deleted.
To list all firewall rules within the CLI, use the Neutron firewall-rule-list
command, as follows:
usage: firewall-rule-list
Here, the returned output includes the ID, name, summary, associated firewall policy, and status of firewall rules within the tenant.
To show the details of a firewall rule within the CLI, use the Neutron firewall-rule-show
command, as follows:
usage: firewall-rule-show FIREWALL_RULE
The returned output includes the name, description, action, destination IP address, destination port, source IP address, source port, associated firewall policy, position, protocol, and tenant ID of the specified firewall rule.
Many of the attributes of a firewall rule are editable at any time. To update an attribute of a firewall rule in the CLI, use the Neutron firewall-rule-update
command, as follows:
usage: firewall-rule-update [--description DESCRIPTION] [--shared] [--source-ip-address SOURCE_IP_ADDRESS] [--destination-ip-address DESTINATION_IP_ADDRESS] [--source-port SOURCE_PORT] [--destination-port DESTINATION_PORT] [--protocol {tcp,udp,icmp,any}] [--action {allow,deny}] FIREWALL_RULE
The next step in creating a firewall is to create a firewall policy that references one or more firewall rules.
To create a firewall policy, use the Neutron firewall-policy-create
command, as follows:
usage: firewall-policy-create [--tenant-id TENANT_ID] [--description DESCRIPTION] [--shared] [--firewall-rules FIREWALL_RULES] [--audited] NAME
Here, the --tenant-id
flag is optional, and allows you to associate the firewall rule with the specified tenant.
The --description
flag is optional and allows you to provide a description of the firewall policy.
The --shared
flag is optional and allows the policy to be shared among other tenants. Before a policy can be shared, all associated firewall rules must be shared.
The --firewall-rules
flag is also optional and is used to add firewall rules to the policy during creation. If multiple rules are specified, they should be enclosed in quotes and separated by spaces. In the following example, two firewall rules are added to the policy named EXAMPLE_POLICY
during its creation:
(neutron) firewall-policy-create --firewall-rules "a7a03a5f-ecda-4471-92db-7a1c708e20e1 a9dd1195-f6d9-4942-b76a-06ff3bac32e8" EXAMPLE_POLICY
Finally, the --audited
flag is optional and is used to reflect whether or not a policy is audited by an external resource. There are no audit logs or auditing mechanisms within Neutron.
To delete a firewall policy within the CLI, use the Neutron firewall-policy-delete
command, as follows:
usage: firewall-policy-delete FIREWALL_POLICY
Here, the keyword FIREWALL_POLICY
is used to represent the ID of the firewall policy to be deleted.
To list all firewall policies within a tenant in the CLI, use the Neutron firewall-policy-list
command, as follows:
usage: firewall-policy-list
The returned output includes the ID, name, and firewall rules associated with the policies.
To show the details of a firewall policy in the CLI, use the Neutron firewall-policy-show
command, as follows:
usage: firewall-policy-show FIREWALL_POLICY
The returned output includes the ID, name, description, tenant ID, audited status, and associated firewall rules of the specified policy.
To update the attributes of a firewall policy, use the Neutron firewall-policy-update
command, as follows:
usage: firewall-policy-update FIREWALL_POLICY [--name NAME] [--description DESCRIPTION] [--shared] [--firewall-rules RULES]
Multiple rules should be enclosed in quotes and separated by a space.
Using the Neutron firewall-policy-insert-rule
command, it is possible to insert firewall rules into an existing policy before or after the existing rules. The syntax to insert a rule into a policy is as follows:
usage: firewall-policy-insert-rule [--insert-before FIREWALL_RULE] [--insert-after FIREWALL_RULE] FIREWALL_POLICY FIREWALL_RULE
Here, the --insert-before
flag is optional and allows you to insert a new firewall rule before the specified firewall rule.
The --insert-after
flag is optional and allows you to insert a new firewall rule after the specified firewall rule.
The keyword FIREWALL_POLICY
is used to represent the ID of the firewall policy to be updated.
Finally, the keyword FIREWALL_RULE
is used to represent the ID of the firewall rule to be added to the policy.
Using the Neutron firewall-policy-remove-rule
command, it is possible to remove firewall rules from a firewall policy. The syntax to remove a rule from a policy is as follows:
usage: firewall-policy-remove-rule FIREWALL_POLICY_ID FIREWALL_RULE_ID
The keyword FIREWALL_POLICY
is used to represent the ID of the firewall policy to be updated.
The keyword FIREWALL_RULE
is used to represent the ID of the firewall rule to be removed from the policy.
The last step in creating a firewall is to create a firewall object that references a single firewall policy and associate it with one or more routers.
To create a firewall within the CLI, use the Neutron firewall-create
command, as follows:
usage: firewall-create [--tenant-id TENANT_ID][--name NAME] [--description DESCRIPTION][--shared] [--admin-state-down] POLICY [--router-ids list=true ROUTER]
Here, the --tenant-id
flag is optional and allows you to associate the firewall with the specified tenant.
The --name
flag is optional and allows you to provide a name for the firewall.
The --description
flag is also optional and allows you to provide a description of the firewall.
The --admin-state-down
flag is optional and allows you to create the firewall in a DOWN
state. In a DOWN
state, firewall rules are not applied.
The keyword POLICY
is used to represent the ID of the policy that should be applied to the firewall. Firewalls are limited to a single policy.
The –router-ids
flag is optional and allows you to associate the firewall with one or more routers. Finally, The keyword ROUTER
is used to represent the ID of a router that should be associated with the firewall. To specify more than one router, use a space to separate the router IDs.
To delete a firewall within the CLI, use the Neutron firewall-delete
command, as follows:
usage: firewall-delete FIREWALL
Here, the keyword FIREWALL
is used to represent the ID of the firewall to be deleted.
To list all firewalls within a tenant in the CLI, use the Neutron firewall-list
command as follows:
usage: firewall-list
The returned output includes a list of firewalls containing the ID, name, and associated firewall policy for each firewall within the tenant.
To show the details of a firewall within the CLI, use the Neutron firewall-show
command as follows:
Syntax: firewall-show FIREWALL
The output returned includes the ID, admin state, name, description, status, tenant ID, associated firewall policy, and associated routers of the specified firewall.
To update the attributes of a firewall within the CLI, use the Neutron firewall-update
command, as follows:
usage: firewall-update FIREWALL [--name NAME] [--firewall-policy-id FIREWALL_POLICY_ID] [--admin-state-up]
Here, the keyword FIREWALL
is required and used to represent the ID of the firewall to be updated.
The --name
flag is optional and allows you to update the name of the firewall.
The --firewall-policy-id
flag is also optional and allows you to associate a different policy with the firewall.
The --admin-state-up
flag is a Boolean that, when set to FALSE
, puts the firewall in a DOWN
state. When a firewall is in a DOWN
state, all rules are removed from the Neutron router.
To create a firewall rule, perform the following steps:
To create a firewall policy, perform the following steps:
To create a firewall, perform the following steps: