THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Introduction:
This document describes about the Egress firewall rules feature for the Guest Network in Virtual Router.
Feature specification:
The Egress traffic originates from the guest network and sent to public network.
This features controls the Egress (outgoing) traffic from the guest network in Advanced zone.
The egress firewall rules applied will restrict the traffic from guest network on the VR.
Default policy:
By default all Egress/Outbound traffic is BLOCKED from guest network to the public network.
Egress Firewall rule:
When an egress firewall rule is applied, we allow the traffic specific to the applied rule and remaining traffic is blocked.
When all the rules are removed the default policy will be applied.
Using egress firewall rules, traffic can be ALLOWED for the following parameters.
- CIDR (source CIDR. It is part of guest network CIDR)
- Protocol (TCP,UDP,ICMP,ALL)
- Destination port range. (ports for TCP, UDP and for ICMP type and code)
Topology:
Use Cases:
In general we can have the following the scenarios for Egress firewall rules:
- Allow the egress traffic from specified source CIDR.
- Allow the egress traffic with destionation protocol TCP/UDP/ICMP/ALL
- Allow the egress traffic with destination protocol with ports range
Note: Protocol ALL DO NOT expects the destination ports arguments so don't pass ports args while configuring.
API and Parameters info for the egress rules:
A new API createEgressFirewallRule API is used to create the Egress firewall rule on the network.
Below gives the APIs info and parameters for the egress rules.
APIs:
createEgressFirewallRule: To configure the egress firewall rule on the gruest network.
deleteEgressFirewallRule: To delete egress firewall on the guest network.
listEgressFirewallRules: To list egress firewall rules configured for the guest network
API Name |
API parameter |
API Response |
Is it available to normal user |
|---|---|---|---|
createEgressFirewallRule |
|
createEgressFirewallRule Response
|
Yes |
deleteEgressFirewallRule |
id (required) - id of the Egress firewall rule to delete |
true/false |
Yes |
listEgressFirewallRules |
|
list of EgressFirewallRule objects |
Yes. |
DB table firewall_rules column purpose, traffic_type values for egress rules:
The egress rules configuration is inserted into the existing firewall_rules table.
column value:
purpose 'Firewall'
traffic_type Egress
Egress rules conflict detection:
Egress rules conflicts checked only with the Egress firewall rules, that is purpose 'Firewall' and traffic_type Egress.
A rule with same cidr, protocol and ports can exist in both ingress and egress firewall rules.
Back end changes for VR:
firewallRule_egress.sh script get called on the virtual router.
The egress rules are added in filter table table, FW_EGRESS_RULES chain.
All the traffic from eth0 eth2 (public interface) will be send to the FW_OUTBOUND chain.
iptables rules:
Default rules:
ipassoc.sh adding rule to ACCEPT traffic from eth0 to public interface.
Modified the rule to send egress traffic to the FW_OUTBOUND chain.
iptables -A FORWARD -i eth0 -o eth2 -j FW_OUTBOUND
Rules added while configuring:
Ex: Egress rule to block the port 22 (ssh) traffic from 10.1.1.31/32
iptables -A FW_OUTBOUND -j EGRESS_FWRULES
iptables -A EGRESS_FWRULES -s 10.1.1.31/32 -p tcp --dport 22:22 -j ACCEPT
Ingress return traffic:
VR acts as state full firewall so for ingress return traffic no egress rule is required.
When user configures ingress rule for a particular ports, ingress return traffic is allowed to outside on that ports with out explicitly adding egress rules on ingress ports.
All the related established connections both ingress and egress will be accepted before Egress rules default filtering happens.
UI Changes:
Egress rules page shown in the Networks-><Network Name> -> Egress Rules
This page provisions the Egress rules configuration cidr, protocol, port range and icmp type, code for ICMP protocol.
This page lists the egress firewall rules.
The listEgressFirewallRules API fetches the Egress firewall rules from firewall_rules table with purpose 'Firewall' and traffic_type 'Egress'
The Egress firewall rules feature is supported for advanced zone guest networks in VR but not now in External devices.
CreateEgressFirewallRule API does NOT support for VPC network networks.
So egress page is displayed only for advanced zone guest networks belongs to virtual router.
Upgrade Scenario:
New networks:
After upgrade if new guest network is created then all the traffic from the guest VMs to public network is BLOCKED by default.
If user want to allow the traffic from the guest network to public network, he can configure egress firewall rule with protocol 'ALL'.
Existing networks:
After upgrade for existing networks, restart network with clean up set to true MUST be performed. This step pushes egress firewall rule feature script files
into router VM.
If you perform the restart network with clean up NOT set, restart network will fail.
After network restart with clean up true a new rule with protocol 'all' is added by default to allow all the traffic from the guest network.
The new rule with below values get added.
proto:all, cidr:0.0.0.0/0
After upgrade for existing networks if user want to configure the Egress firewall rules then delete the default rule. So that only
configured rule traffic is allowed and remaining is blocked.
Supported Hypervisors:
This feature is supported in xenserver, KVM, VMware hypervisors.
Support for External firewall devices:
Egress firewall rules feature in external firewall device SRX will be added in future releases.
Overview
Content Tools
Apps