Fwaas简介
FWaaS uses iptables to apply firewall policy to all Networking routers within a project.(这些iptables规则存在于router的namespace)
FWaaS supports one firewall policy and logical firewall instance per project.(官方介绍,本人翻译水平有限)
FWaaS is currently in technical preview; untested operation is not recommended.(Fwaas现在只是技术性实现,不建议一些未经测试的操作)
Fwaas和Security group的区别
Fwaas的iptables规则存在于router的namespace中(主要关注filter表)
Security group的iptables规则存在于虚拟机所在的compute节点(主要关注filter表)
这篇博客是介绍neutron中的iptables,总结得很不错。http://lingxiankong.github.io/blog/2013/11/19/iptables-in-neutron/
Fwaas架构
具体配置
[root@controller1 neutron]# vim /etc/neutron/neutron.conf # 编辑neutron.conf配置文件,添加如下内容 [DEFAULT] service_plugins = firewall[service_providers]service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default[fwaas]driver = neutron.services.firewall.drivers.linux.iptables_fwaas.IptablesFwaasDriverenabled = True [root@controller1 neutron]# vim /etc/openstack-dashboard/local_settings # 编辑dashboard配置文件 ‘enable_firewall‘: True, # 在dashboard上启用Fwaas面板,默认是False [root@controller1~]# service neutron-server restart # 重启相应服务生效 Stopping neutron: [ OK ] Starting neutron: [ OK ] [root@controller1~]# service neutron-l3-agent restart Stopping neutron-l3-agent: [ OK ] Starting neutron-l3-agent: [ OK ] [root@controller1~]# service httpd restart Stopping httpd: [ OK ] Starting httpd: [ OK ]
Fwaas使用
1 添加防火墙规则
点击左边区域的“放火墙“,显示如右边区域所示
点击右边区域的”添加规则”,填写相应信息
点击“添加“
2 添加防火墙策略
3 创建防火墙
这里有一点要注意:
The firewall remains in PENDING_CREATE state until you create a Networking router and attach an interface to it.(应该都看得懂这句话的意思吧)
参考链接
http://niusmallnan.github.io/_build/html/_templates/openstack/fwaas_setup.html
https://wiki.openstack.org/wiki/Neutron/FWaaS/HowToInstall
本文出自 “the-way-to-cloud” 博客,请务必保留此出处http://iceyao.blog.51cto.com/9426658/1561057
原文地址:http://iceyao.blog.51cto.com/9426658/1561057