<div dir="ltr">I don't think that you'll be able to do that in IceHouse, neither on Juno.<div><br></div><div>Only Kilo and Liberty have a native function to disable the port_security per port. Without it, OpenStack Neutron (and also Nova Network, I guess) will not allow the firewall Instance to work correctly. It will not see any packets that are not destined to it and also, it will not be able to forward packets, because the Neutron (and Nova Network), will drop the packets soon as it leaves the firewall Instance.</div><div><br></div><div>I'm not aware of a solution nice for IceHouse...</div><div class="gmail_extra"><br><div class="gmail_quote">On 16 February 2016 at 06:26, Georgios Dimitrakakis <span dir="ltr"><<a href="mailto:giorgis@acmac.uoc.gr" target="_blank">giorgis@acmac.uoc.gr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Mark and Martinx thank you both for your suggestions.<br>
<br>
I had tried to build PFSense in the past but without success.<br>
<br>
Indeed my goal is to run the virtual firewall as an instance since I am on an older OpenStack version (IceHouse) with nova-networking and therefore I cannot have control over the outgoing connections.<br>
<br>
Regards,<br>
<br>
G.<br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
For running it as an Instance?<br>
<br>
You can try:<br>
<br>
- PFSense;<br>
<br>
- Zentyal;<br>
<br></span>
However, youll need to make use of the Neutron feature called<span><br>
"port_security_enabled = false" for the vNIC attached to the<br>
"internal" subnet (behind the firewall).<br>
<br></span>
Just a curiosity, why dont you use the Neutron native firewall that<span><br>
resides on each L3 Router?<br>
<br></span><span>
On 15 February 2016 at 15:56, Georgios Dimitrakakis wrote:<br>
<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>
Hi!<br>
<br>
Can anyone suggest me of a virtual firewall appliance which is<br>
compatible with OpenStack?<br>
<br>
Best regards,<br>
<br>
G.<br>
<br>
_______________________________________________<br>
Mailing list:<br>
</span><a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [1]<br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a> [2]<br>
Unsubscribe :<br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a> [3]<br>
</blockquote>
<br>
<br>
<br>
Links:<br>
------<br>
[1] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
[2] mailto:<a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
[3] <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
[4] mailto:<a href="mailto:giorgis@acmac.uoc.gr" target="_blank">giorgis@acmac.uoc.gr</a><br>
</blockquote><div><div>
<br>
_______________________________________________<br>
Mailing list: <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
Post to : <a href="mailto:openstack@lists.openstack.org" target="_blank">openstack@lists.openstack.org</a><br>
Unsubscribe : <a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a><br>
</div></div></blockquote></div><br></div></div>