[Openstack] Virtual Firewall Appliance

Martinx - ジェームズ thiagocmartinsc at gmail.com
Tue Feb 16 22:41:36 UTC 2016 

I don't think that you'll be able to do that in IceHouse, neither on Juno.

Only Kilo and Liberty have a native function to disable the port_security
per port. Without it, OpenStack Neutron (and also Nova Network, I guess)
will not allow the firewall Instance to work correctly. It will not see any
packets that are not destined to it and also, it will not be able to
forward packets, because the Neutron (and Nova Network), will drop the
packets soon as it leaves the firewall Instance.

I'm not aware of a solution nice for IceHouse...

On 16 February 2016 at 06:26, Georgios Dimitrakakis <giorgis at acmac.uoc.gr>
wrote:

> Mark and Martinx thank you both for your suggestions.
>
> I had tried to build PFSense in the past but without success.
>
> Indeed my goal is to run the virtual firewall as an instance since I am on
> an older OpenStack version (IceHouse) with nova-networking and therefore I
> cannot have control over the outgoing connections.
>
> Regards,
>
> G.
>
>
> For running it as an Instance?
>>
>> You can try:
>>
>> - PFSense;
>>
>> - Zentyal;
>>
>> However, youll need to make use of the Neutron feature called
>> "port_security_enabled = false" for the vNIC attached to the
>> "internal" subnet (behind the firewall).
>>
>> Just a curiosity, why dont you use the Neutron native firewall that
>> resides on each L3 Router?
>>
>> On 15 February 2016 at 15:56, Georgios Dimitrakakis  wrote:
>>
>> Hi!
>>>
>>> Can anyone suggest me of a virtual firewall appliance which is
>>> compatible with OpenStack?
>>>
>>> Best regards,
>>>
>>> G.
>>>
>>> _______________________________________________
>>> Mailing list:
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [1]
>>> Post to     : openstack at lists.openstack.org [2]
>>> Unsubscribe :
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [3]
>>>
>>
>>
>>
>> Links:
>> ------
>> [1] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [2] mailto:openstack at lists.openstack.org
>> [3] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>> [4] mailto:giorgis at acmac.uoc.gr
>>
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160216/584d71dd/attachment.html>

More information about the Openstack mailing list