Security Groups & Firewall Services

Security Groups & Firewall Services

Posted on Jan 13, 2020 (0)

Security Groups & Firewall Services


  • Configure Neutron to enable Firewall services.
  • Create a security Group dclessons-SG1 and add following rules to allow 80 services with source and destination any any via GUI
  • Create a security Group dclessons-SG2 and add following rules to allow 443 services with source and destination any any via CLI
  • Apply the security group dclessons-SG1 on dclessons-VM1
  • Create Firewall Rule dclessons-FW-RULE1 to allow TCP protocols for source any and destination network port 22.
  • Create Firewall policy dclessons-FW-Policy1 and call the above FW rule created.
  • Now Create the FW and apply the above policy created and verify rule on network nodes.


To configure the Firewall services on Neutron, modify the following file as per given below:

service_plugins = firewall
service_provider = FIREWALL:Iptables:neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver:default
driver =
enabled = True
[root@localhost ~(keystone_admin)]# sudo nano /etc/neutron/l3_agent.ini
interface_driver = neutron.agent.linux.interface.OVSInterfaceDriver

To configure the Horizon dashboard for Firewall, open the /usr/share/openstack dashboard/openstack_dashboard/local/ file and set an enable_firewall option in the OPENSTACK_NEUTRON_NETWORK setting:

'enable_firewall' = True

restart neutron-server, neutron-l3-agent, and horizon for the changes to take effect.

Now to configure the Security group go to Project | Compute | Access & Security and In the Security Groups tab, click on + Create Security Group.

Fill in an appropriate security group Name and Description:

Now to add rules on SG click on SG you created and then click on manage rule and then ADD rules.

Now create another SG via CLI to open port 443.

[root@localhost ~(keystone_admin)]# Neutron security-group-create dclessons-SG2

[root@localhost ~(keystone_admin)]# neutron security-group-rule-create --protocol tcp \ --port-range-min 443 --port-range-max 443 --direction ingress --remote-ip-prefix\ dclessons-SG2

Now to apply the dclessons-SG1 on dclessons-VM1, now you have to launch new instance and then add the above SG on it. We have already shown you how to launch the instance in previous lab.

Now let’s move to another task to create the Firewall rules:

Go to Project | Network | Firewall and click on the Firewall Rules tab:

Fill the rule as per given figure:

Now create the Firewall Policy and call the above FW rule in to it as per given figure:

Project | Network | Firewalls and click on Firewall Policies and Add Policy menu, provide Policy Name and Description:

In the Rules tab in the Add Policy menu, choose and add the Firewall rules in Available Rules to Selected Rules. Dragging them up or down can reorder the rules:

Now we have to create the Firewall and apply the above policy on to it.

Project | Network | Firewalls and click on the Firewalls tab and click on Create Firewalls.In the Add Firewall menu, provide Name and Description and choose the Policy of the Firewall from the drop-down menu:

Once a Firewall has been created using a predefined policy, all the Firewall policy rules are automatically applied to the Routers that already exist or those that will be created later. The reference implementation of FWaaS applies the Firewall rules as an iptables configuration in the Router's namespace. The Firewall policy of a tenant is applied to all the Routers that the tenant owns. This behavior will change in the future version of Neutron and allow the user to associate the Firewall policy to the chosen Routers.

Now to verify see the following commands :

Use the CLI commands to list the Firewall, Firewall policy, Firewall rule, and Routers. Note the Router ID in the following image. We will use this ID to find the namespace corresponding to this Router on the Network node:


    You are will be the first.


Please login here to comment.