[Openstack] Virtual Firewall Appliance
Georgios Dimitrakakis
giorgis at acmac.uoc.gr
Wed Feb 17 17:42:45 UTC 2016
OK!
I think then we have to move forward :-)
Thanks a lot for your time!
Regards,
G.
On Tue, 16 Feb 2016 20:41:36 -0200, Martinx - ジェームズ wrote:
> I dont think that youll be able to do that in IceHouse, neither on
> Juno.
>
> Only Kilo and Liberty have a native function to disable the
> port_security per port. Without it, OpenStack Neutron (and also Nova
> Network, I guess) will not allow the firewall Instance to work
> correctly. It will not see any packets that are not destined to it
> and
> also, it will not be able to forward packets, because the Neutron
> (and
> Nova Network), will drop the packets soon as it leaves the firewall
> Instance.
>
> Im not aware of a solution nice for IceHouse...
>
> On 16 February 2016 at 06:26, Georgios Dimitrakakis wrote:
>
>> Mark and Martinx thank you both for your suggestions.
>>
>> I had tried to build PFSense in the past but without success.
>>
>> Indeed my goal is to run the virtual firewall as an instance since
>> I am on an older OpenStack version (IceHouse) with nova-networking
>> and therefore I cannot have control over the outgoing connections.
>>
>> Regards,
>>
>> G.
>>
>>> For running it as an Instance?
>>>
>>> You can try:
>>>
>>> - PFSense;
>>>
>>> - Zentyal;
>>>
>>> However, youll need to make use of the Neutron feature called
>>> "port_security_enabled = false" for the vNIC attached to the
>>> "internal" subnet (behind the firewall).
>>>
>>> Just a curiosity, why dont you use the Neutron native firewall
>>> that
>>> resides on each L3 Router?
>>>
>>> On 15 February 2016 at 15:56, Georgios Dimitrakakis wrote:
>>>
>>>> Hi!
>>>>
>>>> Can anyone suggest me of a virtual firewall appliance which is
>>>> compatible with OpenStack?
>>>>
>>>> Best regards,
>>>>
>>>> G.
>>>>
>>>> _______________________________________________
>>>> Mailing list:
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> [1] [1]
>>>> Post to : openstack at lists.openstack.org [2] [2]
>>>> Unsubscribe :
>>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>>> [3] [3]
>>>
>>> Links:
>>> ------
>>> [1] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> [4]
>>> [2] mailto:openstack at lists.openstack.org [5]
>>> [3] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>>> [6]
>>> [4] mailto:giorgis at acmac.uoc.gr [7]
>>
>> _______________________________________________
>> Mailing list:
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [8]
>> Post to : openstack at lists.openstack.org [9]
>> Unsubscribe :
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack [10]
>
>
>
> Links:
> ------
> [1] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [2] mailto:openstack at lists.openstack.org
> [3] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [4] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [5] mailto:openstack at lists.openstack.org
> [6] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [7] mailto:giorgis at acmac.uoc.gr
> [8] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [9] mailto:openstack at lists.openstack.org
> [10] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> [11] mailto:giorgis at acmac.uoc.gr
More information about the Openstack
mailing list