After our work with the OpenStack Neutron LBaaS plugin, let's look at another useful plugin, FireWall as a Service (FWaaS). By enabling the FWaaS agent plugin on our network
node, we are able to create and manage firewalls through Neutron API calls. There are drivers for many hardware vendors; the following example uses IPTables to provide the firewalling service.
We configure Neutron FWaaS on the nodes running the Neutron L3 agent (this will be the network
node if not using Distributed Virtual Routers (DVR), or the compute
node if using DVR) and configure Neutron Server API on the controller
nodes to pick up the service. We can also expose the FWaaS feature in Horizon on the controller
nodes.
Ensure that you have a suitable server running the OpenStack network components. If you are using the accompanying Vagrant environment, as described in the Preface, we will use the same network
and controller
nodes for this recipe.
Ensure that you are logged into the network
node as well as the controller
node in our environment. If you created these nodes with Vagrant, you can execute the following command:
vagrant ssh network vagrant ssh controller
To enable the Neutron FWaaS feature, first carry out the following steps on the nodes running the L3 agent. In normal circumstances this will be the network
node. If you are running DVR, this will be on the compute
nodes. Follow these steps:
[DEFAULT]
section of the /etc/neutron/neutron.conf
file by adding firewall
to the service_plugins
line:service_plugins = firewall
[SERVICE_PROVIDERS]
section:[SERVICE_PROVIDERS] service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
/etc/neutron/fwaas_driver.ini
file so it has the following content:[fwaas] driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriver enabled = True
neutron-l3-agent
service to pick up these changes as follows:sudo restart neutron-l3-agent
controller
node running the Neutron Server API and Horizon, make the same change to the /etc/neutron/neutron.conf
file:[DEFAULT] service_plugins = firewall [SERVICE_PROVIDERS] service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
sudo restart neutron-server
/etc/openstack-dashboard/local_settings.py
file to enable the FWaaS feature in Horizon:OPENSTACK_NEUTRON_NETWORK = { 'enable_firewall': True, ... }
sudo service apache2 restart
We have enabled the Neutron FWaaS plugin in our environment by configuring the relevant Neutron configuration files on our nodes that are running the L3 agent (network
nodes in the non-DVR mode or compute
nodes in the DVR mode).
The /etc/neutron/neutron.conf
file notifies our Neutron services of this feature with the following lines:
[DEFAULT] service_plugins = firewall [SERVICE_PROVIDERS] service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
The specific configuration of the LBaaS agent is achieved in the /etc/neutron/fwaas-driver.ini
file on the node running the L3 agent.
We then notify the Neutron API service running on the controller
node about the Neutron FWaaS Plugin. We copy the same neutron.conf
settings found earlier onto the controller
node and restart the Neutron Server API service.
We can then enable this feature in Horizon by setting the configuration enable_firewall
to True
and restarting Apache to pick up this change.