[openstack-dev] [Quantum] Quantum Firewall Service

Rajesh Mohan rajesh.mlists at gmail.com
Fri Apr 5 00:29:59 UTC 2013

Hi Sumit,

I am sorry that I missed the call today. I had a clash and could not
reschedule it.

I went through the draft and it looked complete from the perspective
of addressing a generic firewall.

I have few questions/suggestions below:
-	Firewall Rules->Action:
o	Can we make this a list of actions. For example, actions could be DENY+LOG.
o	A more generic question. Can we have vendor specific actions? Or a
provision to create custom action that could include vendor-ID and
action-ID. This will make it more extensible.

-	Firewall Rules->application:
o	This is a string. To make it useful across vendors, this has to be
defined somewhere. Is this something on our TODO list?

-	Firewall Rules->dynamic_attributes:
o	I can guess what this means but not clear from the text. We have to
provide more information here

-	Firewall Rules:Custom attributes:
o	Going back to my earlier point, we have to make this extensible. We
have to have a provision to create custom attributes under some other
page (may be created by vendor plugin) and attach it to this rule.

-	Firewall Zone->network_list:
o	There are two ways I can interpret this. Zone is defined by the
source address of the packet (the network where the packet originated)
or the network of the ingress interface of the Firewall. I am not sure
which one this document assumes. In case of L3 network plugin, we can
probably use the latter but in case of L2 network plugin, this could
get tricky. Maybe we have to find a better way to identify zones. We
can discuss this more when we meet at the summit.

-	Firewall Policy:
o	I would like more text on use case. Will there be one policy per
firewall? Can a policy have rules that are created by admin and
tenant? Or do we expect to create two firewalls which are entirely
managed by admin or entirely managed by tenant? If the policy can have
rules from admin and tenant, how can we avoid conflicting rules?

-	Firewall:
o	Service type is L3. Does this mean that only L3 network plugin is
being considered now?
o	There is no mention of how the firewall fits into the topology. I
guess that is covered in ServiceInsertionAndChaining draft. It would
be nice if we could make this draft self-contained for standalone
firewall service. If we have to chain multiple services, then we could
look at chaining which is a complex problem and could take lot more
effort to finish.

We should also spell out the workflow, that includes creation of
firewall instance and attaching the same to the network.

-Rajesh Mohan

On Wed, Apr 3, 2013 at 10:47 AM, Sumit Naiksatam
<sumitnaiksatam at gmail.com> wrote:
> We have set up a conference call scheduled for Thursday April 4th to discuss
> this topic as a preparation for the upcoming summit.
> Agenda:
> Current draft: https://wiki.openstack.org/wiki/Quantum/FWaaS/API
> Logistics (thanks to Vinay/Anand, PayPal):
> Where: Conference Bridge - (855) 227 1767 x 7152259
> When: Thursday, April 04, 2013 2:00 PM-3:00 PM. (UTC-08:00) Pacific Time (US
> & Canada)
> Where: Conference Bridge - (855) 227 1767 x 7152259
> Conf. Code 7152259
> Phones Numbers:
> (855) 227-1767(USA) - 08003765931(UK)
> 0008006103229 (India – Toll Free)
> 81080024322044 (Moscow), 4992701688(Moscow)
> Web Conf: https://myroom-na.adobeconnect.com/anandpalanisamy/
> More Numbers:
> https://www.intercallonline.com/portlets/scheduling/viewNumbers/listNumbersByCode.do?confCode=7152259&name=&email=&selectedProduct=joinMeeting
> Thanks,
> ~Sumit.
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

More information about the OpenStack-dev mailing list