Firewall-as-a-Service (FWaaS)
The Firewall-as-a-Service (FWaaS) plug-in applies firewalls to
OpenStack objects such as projects, routers, and router ports.
The central concepts with OpenStack firewalls are the notions of a
firewall policy and a firewall rule. A policy is an ordered collection
of rules. A rule specifies a collection of attributes (such as port
ranges, protocol, and IP addresses) that constitute match criteria and
an action to take (allow or deny) on matched traffic. A policy can be
made public, so it can be shared across projects.
Firewalls are implemented in various ways, depending on the driver
used. For example, an iptables driver implements firewalls using iptable
rules. An OpenVSwitch driver implements firewall rules using flow
entries in flow tables. A Cisco firewall driver manipulates NSX
devices.
FWaaS v2
The newer FWaaS implementation, v2, provides a much more granular
service. The notion of a firewall has been replaced with firewall group
to indicate that a firewall consists of two policies: an ingress policy
and an egress policy. A firewall group is applied not at the router
level (all ports on a router) but at the port level. Currently, router
ports can be specified. For Ocata, VM ports can also be specified.
FWaaS v1
FWaaS v1 was deprecated in the Newton cycle and removed entirely in
the Stein cycle.
FWaaS Feature Matrix
The following table shows FWaaS v2 features.
Feature | Supported |
---|---|
Supports L3 firewalling for routers | NO* |
Supports L3 firewalling for router ports | YES |
Supports L2 firewalling (VM ports) | YES |
CLI support | YES |
Horizon support | YES |
* A firewall group can be applied to all ports on a given router in
order to effect this.
For further information, see the FWaaS v2 configuration guide.