Open Stack

On 04/17/2014 06:37 AM, CARVER, PAUL wrote:
> Aaron Rosen wrote:
>
>>Sorry not really. It's still not clear to me why multiple nics would be
> required on the same L2 domain.
>
> I’m a fan of this old paper for nostalgic reasons
> http://static.usenix.org/legacy/publications/library/proceedings/neta99/full_papers/limoncelli/limoncelli.pdf
> but a search for transparent or bridging firewall turns up tons of hits.
>
> Whether any of them are valid use cases for OpenStack is something that
> we could debate, but the general concept of putting two firewall
> interfaces into the same L2 domain and using it to control traffic flow
> between different hosts on the same L2 domain has at least five years of
> history behind it.

If you want it to act as a transparent firewall then you really need two 
separate physical networks where the firewall acts as a bridge between 
them.  Otherwise the traffic isn't forced to go through the firewall it 
can just go directly to the target MAC address.

To do this in openstack I think you'd need to decouple virtual networks 
from virtual dhcp. So then you'd be able to do stuff like:

1) Create network A with no dhcp server or IP subnet.
2) Create network B with a subnet and dhcp server.
3) Create VM C with a NIC in each network, acting as a bridge/firewall.
4) Connect network B to the outside world.
5) Create VM D with a NIC in network A, it does DHCP broadcast, VM C 
forwards the DHCP request to network B where it gets assigned an address.
6) D can then talk to the outside world with C deciding what outside 
packets are allowed through to it, monitoring/logging the traffic, doing 
traffic shaping, etc.

I wonder if you could do something like this with OpenStack as-is? 
Maybe configure network A with no router, and with an IP address range 
that doesn't overlap with network B.  Then configure network B with a 
non-overlapping address range but also with a router?  Then C could 
still forward packets between the networks...

Chris