Skip to content

Firewall Template Creation

flexiOPS edited this page Mar 24, 2017 · 3 revisions

Tagging VMs to use Firewall Templates

VMs on each of the supported cloud platforms can be given a firewall 'tag', which will instruct the application to apply a specific firewall configuration to it.

FCO

Requires the FCOFirewallExecutable and FCO Firewall Trigger to be installed

Once a VM has been created, applying a 'Key' to the VM with the name of the firewall config to be used will cause the FCOFirewallExecutable to be called which will forward the applied firewall key to the listener application.

Openstack

Once a VM has been created (or during VM creation), a metadata item created with the key 'FIREWALL' and the value set to the desired firewall config will be used to apply a firewall template to the VM.

Open Nebula

During VM creation, a custom (non-default) security group must be applied to the VM as Open Nebula does not currently support adding new security groups to existing VMs. After this is done, an attribute with the key 'FIREWALL' and value set to the desired firewall config will be used to apply a firewall template to the VM.

AWS

A metadata item with the key 'FIREWALL' and the value set to the desired firewall config will be used to apply the firewall template to the VM.

Creating a Firewall Configuration

Once the firewall config folder is specified inside the scannerConfig.properties folder, firewall configs can be created and used.

An example email config is shown to illustrate how firewall configs are specified in JSON format:

{
"name":"email",
"rules": [  { "name":"pop3", "port":110,"protocol":"TCP","direction":"inbound"},
                        { "name":"smtp", "port":25,"protocol":"TCP","direction":"inbound"},
                        { "name":"imap", "port":143,"protocol":"TCP","direction":"inbound"}
                 ]
}

The "name" attribute is used for matching firewall tags applied to VMs with the firewall config.

Rules is an array of "Rule" types, used for specifying the firewall rules. The available attributes for a rule are:

Name

The name of the rule

Port

The port on which the rule is to active

Protocol

The protocol on which the rule is to be active (TCP, UDP etc)

Direction

The direction the rule is to be applied to (inbound/outbound)