Backlog #1225: Flexible firewall definition and dynamic behavior
Improve firewall.rb driver
|Category:||Drivers - Network|
Attached Firewall driver to provide advanced control of rules. Primarily this includes:
- traffic to/from VM
- specifying src and dst addresses
It works the same as the existing Firewall.rb by adding parameters to the NIC section of a VM template.
NIC = [ ..., FW_IN = "TCP,,:22,ACCEPT", FW_OUT = "TCP,:80,,ACCEPT" ]
Which translates to:
1. allow any host to SSH to this VM
2. allow this VM to browse the internet
The syntax for FW_OUT/FW_IN:
- PROTOCOL is the protocol (TCP, UDP, etc)
- ACTION is ACCEPT or DROP
- SRC/DST is the source/destination including port in this format: [126.96.36.199]:[port,port:port], the brackets are optional but required when the IP or PORT specification will contains : or , (IPv6 and multiple ports).
SRC/DEST can be left empty, or the IP or PORT part of the SRC/DST can be empty, to default to ANY IP or PORT.
#4 Updated by Javi Fontan almost 6 years ago
- Target version changed from Release 4.4 to Release 4.6
We are going to move adding these features for the next release. The changes make the old way of configuring the firewall incompatible and we are too close to the release to make both versions work.
These new features can be easily added to a 4.4 version just changing the standard firewall library by this one. It is even a good candidate for an addon in case this is needed before 4.6.