Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how FWaaS allows ssh. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Today we will add a rule to the firewall that allows ssh.

Finally, we will compare the security group with FWaaS.

Let's add a firewall rule: allow ssh.

Click the "Add Rule" button on the Firewall Rules tab page.

Name the new rule "allow ssh", Protocal select "TCP", Action "ALLOW", and Destination Port/Port Range "22"

Click "Add" and rule is created successfully.

Next, add rule to the policy.

Click the Firewall Policies tab page, and then click the "Insert Rule" button after "test_policy".

Select Rule "allow ssh" in the drop-down box and click "Save Changes".

As you can see, "allow ssh" has been successfully added to "test_policy".

Use vimdiff to see what has happened to router namespace's iptables-save.

Iptables added two rules:

-A neutron-vpn-agen-iv4e85f4601-p tcp-m tcp-- dport 22-j ACCEPT

-A neutron-vpn-agen-ov4e85f4601-p tcp-m tcp-- dport 22-j ACCEPT

It means that tcp packets entering and leaving router will be ACCEPT if the destination port is 22 (ssh) ssh.

To test it, cirros-vm1 can already ssh cirros-vm2, but ping still doesn't work, as expected.

"allow ssh" is already working. At the same time, we also find that firewall rule takes effect on incoming and outgoing traffic at the same time, regardless of direction.

Bar

FWaaS is used to enhance the security of Neutron networks and can be used in conjunction with security groups.

Here's a comparison between FWaaS and security groups.

Similarities:

1. The underlying layer is implemented through iptables.

Differences:

1. FWaaS's iptables rules are applied to router to protect the entire tenant network.

Security groups are applied to virtual network cards to protect a single instance.

2. FWaaS can define allow or deny rules; security groups can only define allow rules.

3. At present, FWaaS rules can not distinguish between inbound and outbound traffic, and have an effect on two-way traffic.

Security group rules can distinguish between ingress and egress.

This is how the FWaaS shared by the editor allows ssh. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.