Backlog #2396

Backlog #1225: Flexible firewall definition and dynamic behavior

Improve firewall.rb driver

Added by OpenNebula Systems Support Team about 6 years ago. Updated over 4 years ago.

Status:ClosedStart date:10/21/2013
Priority:HighDue date:
Assignee:-% Done:

0%

Category:Drivers - Network
Target version:-

Description

Attached Firewall driver to provide advanced control of rules. Primarily this includes:

- traffic to/from VM
- specifying src and dst addresses

It works the same as the existing Firewall.rb by adding parameters to the NIC section of a VM template.

NIC = [ ..., FW_IN = "TCP,,:22,ACCEPT", FW_OUT = "TCP,:80,,ACCEPT" ]

Which translates to:

1. allow any host to SSH to this VM
2. allow this VM to browse the internet

The syntax for FW_OUT/FW_IN:

PROTOCOL,SRC,DST,ACTION

Where:

- PROTOCOL is the protocol (TCP, UDP, etc)
- ACTION is ACCEPT or DROP
- SRC/DST is the source/destination including port in this format: [1.2.3.4]:[port,port:port], the brackets are optional but required when the IP or PORT specification will contains : or , (IPv6 and multiple ports).

SRC/DEST can be left empty, or the IP or PORT part of the SRC/DST can be empty, to default to ANY IP or PORT.

Firewall-4.2.0.rb Magnifier (4.51 KB) OpenNebula Systems Support Team, 10/21/2013 05:07 PM

Firewall-4.2.0-1.rb Magnifier (4.73 KB) Chris Johnston, 11/04/2013 03:18 PM

History

#1 Updated by Chris Johnston about 6 years ago

Latest version attached.

#2 Updated by Jaime Melis almost 6 years ago

  • Tracker changed from Request to Feature
  • Status changed from Pending to New
  • Target version set to Release 4.4

#3 Updated by Ruben S. Montero almost 6 years ago

  • Assignee set to Javi Fontan

#4 Updated by Javi Fontan almost 6 years ago

  • Target version changed from Release 4.4 to Release 4.6

We are going to move adding these features for the next release. The changes make the old way of configuring the firewall incompatible and we are too close to the release to make both versions work.

These new features can be easily added to a 4.4 version just changing the standard firewall library by this one. It is even a good candidate for an addon in case this is needed before 4.6.

#5 Updated by Ruben S. Montero almost 6 years ago

  • Parent task set to #1225

#6 Updated by Ruben S. Montero almost 6 years ago

  • Tracker changed from Feature to Backlog
  • Status changed from New to Pending
  • Assignee deleted (Javi Fontan)
  • Priority changed from Normal to High
  • Target version deleted (Release 4.6)

#7 Updated by Ruben S. Montero over 4 years ago

  • Status changed from Pending to Closed

Also available in: Atom PDF