-
Notifications
You must be signed in to change notification settings - Fork 1
Firewall Template Creation
VMs on each of the supported cloud platforms can be given a firewall 'tag', which will instruct the application to apply a specific firewall configuration to it.
Requires the FCOFirewallExecutable and FCO Firewall Trigger to be installed
Once a VM has been created, applying a 'Key' to the VM with the name of the firewall config to be used will cause the FCOFirewallExecutable to be called which will forward the applied firewall key to the listener application.
Once a VM has been created (or during VM creation), a metadata item created with the key 'FIREWALL' and the value set to the desired firewall config will be used to apply a firewall template to the VM.
During VM creation, a custom (non-default) security group must be applied to the VM as Open Nebula does not currently support adding new security groups to existing VMs. After this is done, an attribute with the key 'FIREWALL' and value set to the desired firewall config will be used to apply a firewall template to the VM.
A metadata item with the key 'FIREWALL' and the value set to the desired firewall config will be used to apply the firewall template to the VM.
Once the firewall config folder is specified inside the scannerConfig.properties folder, firewall configs can be created and used.
An example email config is shown to illustrate how firewall configs are specified in JSON format:
{
"name":"email",
"rules": [ { "name":"pop3", "port":110,"protocol":"TCP","direction":"inbound"},
{ "name":"smtp", "port":25,"protocol":"TCP","direction":"inbound"},
{ "name":"imap", "port":143,"protocol":"TCP","direction":"inbound"}
]
}
The "name" attribute is used for matching firewall tags applied to VMs with the firewall config.
Rules is an array of "Rule" types, used for specifying the firewall rules. The available attributes for a rule are:
The name of the rule
The port on which the rule is to active
The protocol on which the rule is to be active (TCP, UDP etc)
The direction the rule is to be applied to (inbound/outbound)