Open Stack

On Mon, Nov 02, 2015 at 02:39:49AM EST, Oğuz Yarımtepe wrote:
> All i need is to create a firewall but instead of
> using Iptables, i want to use the hardware firewall and be able to define
> filtering rules.

In the current experimental API, Firewalls are
global in scope and cover an entire tenant. There *is* an API extension
(router insertion) that can associate a firewall with a specific tenant
Neutron router, however not every vendor supports it.

You mentioned that your firewall appliance does not route, it just
filters. Depending on how you are routing, and if you are going to
support the router insertion API extension, it could be that your
firewall appliance may not be able to filter all traffic. Unless that
is, you put the firewall appliance in, as a bump in the wire.

Really this all boils down to the point where the Firewall as a Service
API does not have good semantics for where a firewall is inserted, in
all cases. Even with the router insertion API extension, there are cases
where it doesn't cover - like DVR[1].

Currently the FwaaS community is attempting to fix this, by just having
the API express *what* ports a tenant wishes to associate with a
firewall policy, and let the implementation figure out how best to plumb
it, and where to insert filtering rules.

This means that the API will change semantics significantly, and just
inserting a hardware device at the edge would not cover all that the
newer Firewall API will be able to express.

[1]: https://etherpad.openstack.org/p/FWaaS_with_DVR

-- 
Sean M. Collins