Neutron includes an advanced service known as Firewall as a Service, or FWaaS, which enables users to create and manage firewalls that provide layer 3 and layer 4 filtering at the perimeter of the network. Using the reference driver and Neutron API, users can:
- Apply firewall rules to the traffic entering and leaving the tenant networks attached to Neutron routers
- Create and share firewall policies that hold an ordered collection of the firewall rules
- Audit firewall rules and policies
The FWaaS extension introduces the following network resources:
- Firewall: A logical firewall resource that a tenant can instantiate and manage. A firewall is associated with a single firewall policy.
- Firewall policy: An ordered collection of firewall rules that can be shared across tenants.
- Firewall rule: A collection of attributes such as layer 3 addresses and layer 4 ports that are allowed or denied access through an interface.
As with security groups, firewalls in Neutron utilize iptables to perform traffic filtering when an iptables-based reference driver is used. Rather than being configured on every compute node, however, firewall rules are implemented within a Neutron router namespace.
In this chapter, we will cover the following:
- Enabling FWaaS in Neutron
- Creating and managing Neutron firewalls
- Demonstrating traffic flow through a Neutron firewall
To enable FWaaS, some changes must be made to Neutron configuration files on the network and controller node. In this environment, the controller serves as the network node. There is no dedicated agent needed to implement FWaaS as the existing Neutron L3 agent handles all firewall functionalities.
Neutron stores the FWaaS driver configuration in the /etc/neutron/fwaas_driver.ini file. The most common configuration options will be covered in the following sections.
To manage a firewall, Neutron must be configured to use a device driver that provides the interface between the Neutron API and the programming of the service or device.
On the controller node, enable FWaaS and define the iptables device driver in the FWaaS driver configuration file, as follows:
[fwaas] ... enabled = true driver = neutron_fwaas.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver
In addition to configuring the firewall driver, Neutron must be configured to use the firewall service plugin before the API can be utilized to create firewall objects.
Update the service_plugins configuration option found in the /etc/neutron/neutron.conf file on the controller by adding the firewall service plugin to the list of enabled plugins:
[DEFAULT]
...
service_plugins = router,lbaas,firewall
Restart the neutron-server and neutron-l3-agent services with the following commands:
# service neutron-server restart # service neutron-l3-agent restart
Due to a bug in the release of Kilo available at the time this book is published, it may be necessary to update the Neutron database schema to allow FWaaS to operate properly.
To update the schema, run the following command on the controller node:
# neutron-db-manage --service fwaas upgrade head
For more information on the bug, refer to the following URL: