FWaaS practice: Allow SSH-5 minutes a day to play with OpenStack (119)

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374306547066500.jpg "alt=" 7.png "/>

The previous section applies an irregular virtual firewall that does not allow any traffic to pass through.

Today we will add a rule to the firewall to allow SSH.
Finally, we will compare the security group and the FWaaS.

Let's add a firewall rule: Allow SSH.

Click the "Add Rule" button on the Firewall Rules tab page.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374306882034979.jpg "/>

Name the new rule "Allow SSH", protocal select "TCP", Action is "Allow", Destination port/port Range is "22",

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374306996099682.jpg "/>

Click "Add" and rule creation is successful.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374307144026729.jpg "/>

Next, rule is added to the policy.

Click the Firewall Policies tab, and then click the Insert Rule button after "Test_policy".

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374307243096152.jpg "/>

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374307384025725.jpg "/>

In the dropdown box, select Rule "Allow SSH" and click "Save Changes".

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374310706029995.jpg "/>

As you can see, "Allow SSH" has been successfully added to "Test_policy".

See what happened to the Iptables-save of router namespace through Vimdiff.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374310842067638.jpg "/>

Iptables added two rules:

-A neutron-vpn-agen-iv4e85f4601-p tcp-m tcp--dport 22-j ACCEPT
-A neutron-vpn-agen-ov4e85f4601-p tcp-m tcp--dport 22-j ACCEPT

The implication is that TCP packets in and out of the router are ACCEPT if the destination port is ssh (SSH).

Test, CIRROS-VM1 can already ssh cirros-vm2, but Ping still does not pass, this is consistent with the expectation.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374310974055968.jpg "/>

"Allow SSH" has already worked. At the same time, we also found that firewall rule to enter and exit traffic at the same time, do not distinguish direction.

Section

FWaaS is used to enhance the security of the Neutron network, which can be used in conjunction with security groups.
Here is a comparison of FWaaS and security groups.

Same point:
1. The bottom level is achieved through iptables.

Different points:
1. FWaaS's iptables rules are applied on the router to protect the entire tenant network;
The security group is applied on the virtual network card to protect the individual instance.

2. FWaaS can define an allow or deny rule, and a security group may define an allow rule only.

3. At present, FWaaS rules can not distinguish the flow of traffic, the two-way traffic is working;
Security group rules can differentiate between ingress and egress.

FWaaS study completed, the next section we continue to learn Neutron another service Load balancing as a services.

650) this.width=650; "Src=" http://7xo6kd.com1.z0.glb.clouddn.com/ Upload-ueditor-image-20161129-1480374311090002322.jpg "alt=" Blob.png "/>

FWaaS practice: Allow SSH-5 minutes a day to play with OpenStack (119)