| Thread Previous • Date Previous • Date Next • Thread Next |
Public bug reported:
Source/Destination IPs are not respected in firewall group rules FWaaS
I'm trying to configure and use FWaaS v2. My simple use case is to
configure a default FW in a project, which will forbid requests from
specific IPs. And it looks like source/destination IPs are not
respected, other fields seem to be working.
My Environment: OpenStack 2024.1, kolla-ansible, OVS with DVR,
rockylinux 5.14.0, KVM
Configuration
L3 Agent
fwaas_driver.ini
[fwaas]
enabled = True
agent_version = v2
driver = iptables_v2
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
l3_agent.ini
...
[agent]
extensions = fwaas_v2,vpnaas
...
OpenVSwitch Agent
openvswitch_agent.ini
[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true
enable_distributed_routing = True
extensions = fwaas_v2
[securitygroup]
firewall_driver = openvswitch
[fwaas]
enabled = True
firewall_l2_driver = ovs
How to reproduce:
After FWaaS was activated
In a project check that tehere is a default firewall installed
openstack firewall group list --long
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| ID | Name | Ingress Policy ID | Egress Policy ID |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| 176d6b64-ab11-4d01-a65b-fe64ef42517c | default | f3592619-e8dc-4d38-9235-b84eec07f266 | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
openstack firewall group show default
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Default firewall group |
| Egress Policy ID | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
| ID | 176d6b64-ab11-4d01-a65b-fe64ef42517c |
| Ingress Policy ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default |
| Ports | ['20b5fc16-ee0d-4645-98bf-01ee59e8e2a2', '270300c8-0a30-4b5b-859a-d1a5d7b94fa3', 'a926677b-ccd8-4e30-ab09-3d4dbef97cd1', 'b347d215-2b82-4de8-aa8e-420114668d4e'] |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 254 |
| tags | [] |
| updated_at | 2025-08-28T06:15:00Z |
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Check default Ingress Policy
openstack firewall group policy show "default ingress"
+-----------------+----------------------------------------------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------------------------------------------+
| Audited | False |
| Description | Ingress firewall policy |
| Firewall Rules | ['88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default ingress |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-25T07:41:00Z |
+-----------------+----------------------------------------------------------------------------------+
Check The rule of the default Ingress Policy, ingress traffic should be set to "deny"
MY_DEFTAUL_IPV4_RULE_ID=$(openstack firewall group policy show "default ingress" -c "Firewall Rules" -fjson | jq -Mr '.["Firewall Rules"][0]')
openstack firewall group rule show $MY_DEFTAUL_IPV4_RULE_ID
+-------------------------------+------------------------------------------+
| Field | Value |
+-------------------------------+------------------------------------------+
| Action | deny |
| Description | default ingress rule for IPv4 |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| Firewall Policy | ['f3592619-e8dc-4d38-9235-b84eec07f266'] |
| ID | 88354c14-12a3-43a9-a095-7a5115c6841d |
| IP Version | 4 |
| Name | default ingress ipv4 |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | any |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 4 |
| tags | [] |
| updated_at | 2025-08-28T08:56:50Z |
+-------------------------------+------------------------------------------+
Create a new server
openstack server create --image ubuntu-24.04 --flavor m1.medium --key-name mykey --network 01_demo_k8s-vlan-net fwaastest01
openstack server show fwaastest01
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hostname | fwaastest01 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | None |
| OS-EXT-SRV-ATTR:kernel_id | None |
| OS-EXT-SRV-ATTR:launch_index | None |
| OS-EXT-SRV-ATTR:ramdisk_id | None |
| OS-EXT-SRV-ATTR:reservation_id | None |
| OS-EXT-SRV-ATTR:root_device_name | None |
| OS-EXT-SRV-ATTR:user_data | None |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2025-08-28T08:37:06.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | 01_demo_k8s-vlan-net=10.10.21.42 |
| config_drive | |
| created | 2025-08-28T08:36:47Z |
| description | None |
| flavor | description=, disk='40', ephemeral='0', , id='m1.medium', is_disabled=, is_public='True', location=, name='m1.medium', original_name='m1.medium', ram='4096', rxtx_factor=, swap='0', vcpus='2' |
| hostId | 016287359e32f6b692430b0fbb1e4d91ce0f5a452653c54312dcba82 |
| host_status | None |
| id | 2950669e-cb09-4307-8675-61930bb0f12f |
| image | ubuntu-24.04 (cf46b0d8-e0e2-4a3d-a233-e2157fa97298) |
| key_name | mykey |
| locked | False |
| locked_reason | None |
| name | fwaastest01 |
| pinned_availability_zone | None |
| progress | 0 |
| project_id | 7efc953644d04c968ec883a1337930d2 |
| properties | |
| security_groups | name='default' |
| server_groups | None |
| status | ACTIVE |
| tags | |
| trusted_image_certificates | None |
| updated | 2025-08-28T08:37:06Z |
| user_id | 0906ccc8fabe4341b7f4bde4a795f0fd |
| volumes_attached | |
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
openstack port list --server fwaastest01
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| 882e8994-3f0f-4664-bbf6-92165cdb72c5 | | fa:16:3e:36:34:3a | ip_address='10.10.21.42', subnet_id='516acec3-f099-4904-b827-d6d1a11a58cc' | ACTIVE |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
Check the server port is added to default firewall group
openstack firewall group show default -fjson | jq '.["Ports"]'
[
"20b5fc16-ee0d-4645-98bf-01ee59e8e2a2",
"270300c8-0a30-4b5b-859a-d1a5d7b94fa3",
"882e8994-3f0f-4664-bbf6-92165cdb72c5",
"a926677b-ccd8-4e30-ab09-3d4dbef97cd1",
"b347d215-2b82-4de8-aa8e-420114668d4e"
]
Check one of the listed ports belongs to the router
openstack port show 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
+-------------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+---------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2025-04-22T08:20:18Z |
| data_plane_status | None |
| description | |
| device_id | 1a41e860-eb39-490e-8b75-cfc2803f4708 |
| device_owner | network:router_interface_distributed |
| device_profile | None |
| dns_assignment | fqdn='host-10-0-0-1.openstacklocal.', hostname='host-10-0-0-1', ip_address='10.0.0.1' |
| dns_domain | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.0.0.1', subnet_id='b4e950f6-949a-40bb-8c65-9f61970cb71e' |
| hardware_offload_type | None |
| hints | |
| id | 270300c8-0a30-4b5b-859a-d1a5d7b94fa3 |
| ip_allocation | None |
| mac_address | fa:16:3e:ee:ea:63 |
| name | |
| network_id | 0ae5f5b4-9dc9-4ab9-ad06-77d96b08ca76 |
| numa_affinity_policy | None |
| port_security_enabled | False |
| project_id | 7efc953644d04c968ec883a1337930d2 |
| propagate_uplink_status | None |
| resource_request | None |
| revision_number | 1083 |
| qos_network_policy_id | None |
| qos_policy_id | None |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| trusted | None |
| updated_at | 2025-08-28T08:27:17Z |
+-------------------------+---------------------------------------------------------------------------------------+
Create and assign a floating ip to the server
openstack floating ip create shared0 -c name
+-------+--------------+
| Field | Value |
+-------+--------------+
| name | 10.30.10.84 |
+-------+--------------+
openstack server add floating ip fwaastest01 10.30.10.84
openstack server show fwaastest01 -c name -c addresses
+-----------+-----------------------------------------------+
| Field | Value |
+-----------+-----------------------------------------------+
| addresses | 01_demo_k8s-vlan-net=10.10.21.42, 10.30.10.84 |
| name | fwaastest01 |
+-----------+-----------------------------------------------+
Try to access via ssh, should not work (default ingress policy)
ssh ubuntu@10.30.10.84 -v
...
Create a new rule, which allows traffic to port 22 and add it to the default ingress policy
openstack firewall group rule create --name allow-ssh --protocol tcp --destination-port 22 --action allow
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Action | allow |
| Description | |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | 22 |
| Enabled | True |
| Firewall Policy | None |
| ID | 39737b54-485b-4ec7-93bd-08091d4e96f2 |
| IP Version | 4 |
| Name | allow-ssh |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | tcp |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-28T08:58:33Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-28T08:58:33Z |
+-------------------------------+--------------------------------------+
openstack firewall group policy add rule "default ingress" allow-ssh
Inserted firewall rule 39737b54-485b-4ec7-93bd-08091d4e96f2 in firewall policy default ingress
openstack firewall group policy show "default ingress"
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Audited | False |
| Description | Ingress firewall policy |
| Firewall Rules | ['39737b54-485b-4ec7-93bd-08091d4e96f2', '88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default ingress |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 1 |
| tags | [] |
| updated_at | 2025-08-28T08:59:36Z |
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
Try to access via ssh, now it should work (port 22 allowed)
ssh ubuntu@10.30.10.84 -v
...
Set the Source IP address in the rule, to allow traffic only from a specific IP
openstack firewall group rule set --source-ip-address 10.30.10.77 allow-ssh
Try to connect from the source ip to the server via ssh, it should still work
ssh ubuntu@10.30.10.84 -v
Set the Source IP address in the rule, to allow traffic only from one another IP
openstack firewall group rule set --source-ip-address 10.30.10.100 allow-ssh
Try to connect from the source ip to the server via ssh, it should not work, but it does
ssh ubuntu@10.30.10.84 -v
Check incomming traffic on the target host
root@fwaastest01:~# tcpdump -nve -i ens3 port 22 and host 10.30.10.77
tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:17:23.674025 fa:16:3e:8b:c7:b8 > fa:16:3e:36:34:3a, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 5237, offset 0, flags [DF], proto TCP (6), length 60)
10.30.10.77.47115 > 10.10.21.42.22: Flags [S], cksum 0xc08f (correct), seq 1696342916, win 64860, options [mss 1410,sackOK,TS val 2199360205 ecr 0,nop,wscale 7], length 0
Expectation: if we connect from the IP, we set in the FW Rule, it should
work. Connection from any other IP should not work
Reality: It's possible to connect from any IP, the source ip address is
not respected.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/2121582
Title:
Source / Destination IP address is not respected in firewall group
rule FWaaS v2
Status in neutron:
New
Bug description:
Source/Destination IPs are not respected in firewall group rules FWaaS
I'm trying to configure and use FWaaS v2. My simple use case is to
configure a default FW in a project, which will forbid requests from
specific IPs. And it looks like source/destination IPs are not
respected, other fields seem to be working.
My Environment: OpenStack 2024.1, kolla-ansible, OVS with DVR,
rockylinux 5.14.0, KVM
Configuration
L3 Agent
fwaas_driver.ini
[fwaas]
enabled = True
agent_version = v2
driver = iptables_v2
[service_providers]
service_provider = FIREWALL_V2:fwaas_db:neutron_fwaas.services.firewall.service_drivers.agents.agents.FirewallAgentDriver:default
l3_agent.ini
...
[agent]
extensions = fwaas_v2,vpnaas
...
OpenVSwitch Agent
openvswitch_agent.ini
[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true
enable_distributed_routing = True
extensions = fwaas_v2
[securitygroup]
firewall_driver = openvswitch
[fwaas]
enabled = True
firewall_l2_driver = ovs
How to reproduce:
After FWaaS was activated
In a project check that tehere is a default firewall installed
openstack firewall group list --long
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| ID | Name | Ingress Policy ID | Egress Policy ID |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
| 176d6b64-ab11-4d01-a65b-fe64ef42517c | default | f3592619-e8dc-4d38-9235-b84eec07f266 | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
+--------------------------------------+---------+--------------------------------------+--------------------------------------+
openstack firewall group show default
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Description | Default firewall group |
| Egress Policy ID | e7259e7c-df47-49fa-8e6e-5b0705c2749d |
| ID | 176d6b64-ab11-4d01-a65b-fe64ef42517c |
| Ingress Policy ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default |
| Ports | ['20b5fc16-ee0d-4645-98bf-01ee59e8e2a2', '270300c8-0a30-4b5b-859a-d1a5d7b94fa3', 'a926677b-ccd8-4e30-ab09-3d4dbef97cd1', 'b347d215-2b82-4de8-aa8e-420114668d4e'] |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| State | UP |
| Status | ACTIVE |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 254 |
| tags | [] |
| updated_at | 2025-08-28T06:15:00Z |
+-------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Check default Ingress Policy
openstack firewall group policy show "default ingress"
+-----------------+----------------------------------------------------------------------------------+
| Field | Value |
+-----------------+----------------------------------------------------------------------------------+
| Audited | False |
| Description | Ingress firewall policy |
| Firewall Rules | ['88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default ingress |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-25T07:41:00Z |
+-----------------+----------------------------------------------------------------------------------+
Check The rule of the default Ingress Policy, ingress traffic should be set to "deny"
MY_DEFTAUL_IPV4_RULE_ID=$(openstack firewall group policy show "default ingress" -c "Firewall Rules" -fjson | jq -Mr '.["Firewall Rules"][0]')
openstack firewall group rule show $MY_DEFTAUL_IPV4_RULE_ID
+-------------------------------+------------------------------------------+
| Field | Value |
+-------------------------------+------------------------------------------+
| Action | deny |
| Description | default ingress rule for IPv4 |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | None |
| Enabled | True |
| Firewall Policy | ['f3592619-e8dc-4d38-9235-b84eec07f266'] |
| ID | 88354c14-12a3-43a9-a095-7a5115c6841d |
| IP Version | 4 |
| Name | default ingress ipv4 |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | any |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 4 |
| tags | [] |
| updated_at | 2025-08-28T08:56:50Z |
+-------------------------------+------------------------------------------+
Create a new server
openstack server create --image ubuntu-24.04 --flavor m1.medium --key-name mykey --network 01_demo_k8s-vlan-net fwaastest01
openstack server show fwaastest01
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | nova |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hostname | fwaastest01 |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | None |
| OS-EXT-SRV-ATTR:kernel_id | None |
| OS-EXT-SRV-ATTR:launch_index | None |
| OS-EXT-SRV-ATTR:ramdisk_id | None |
| OS-EXT-SRV-ATTR:reservation_id | None |
| OS-EXT-SRV-ATTR:root_device_name | None |
| OS-EXT-SRV-ATTR:user_data | None |
| OS-EXT-STS:power_state | Running |
| OS-EXT-STS:task_state | None |
| OS-EXT-STS:vm_state | active |
| OS-SRV-USG:launched_at | 2025-08-28T08:37:06.000000 |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | 01_demo_k8s-vlan-net=10.10.21.42 |
| config_drive | |
| created | 2025-08-28T08:36:47Z |
| description | None |
| flavor | description=, disk='40', ephemeral='0', , id='m1.medium', is_disabled=, is_public='True', location=, name='m1.medium', original_name='m1.medium', ram='4096', rxtx_factor=, swap='0', vcpus='2' |
| hostId | 016287359e32f6b692430b0fbb1e4d91ce0f5a452653c54312dcba82 |
| host_status | None |
| id | 2950669e-cb09-4307-8675-61930bb0f12f |
| image | ubuntu-24.04 (cf46b0d8-e0e2-4a3d-a233-e2157fa97298) |
| key_name | mykey |
| locked | False |
| locked_reason | None |
| name | fwaastest01 |
| pinned_availability_zone | None |
| progress | 0 |
| project_id | 7efc953644d04c968ec883a1337930d2 |
| properties | |
| security_groups | name='default' |
| server_groups | None |
| status | ACTIVE |
| tags | |
| trusted_image_certificates | None |
| updated | 2025-08-28T08:37:06Z |
| user_id | 0906ccc8fabe4341b7f4bde4a795f0fd |
| volumes_attached | |
+-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
openstack port list --server fwaastest01
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| ID | Name | MAC Address | Fixed IP Addresses | Status |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
| 882e8994-3f0f-4664-bbf6-92165cdb72c5 | | fa:16:3e:36:34:3a | ip_address='10.10.21.42', subnet_id='516acec3-f099-4904-b827-d6d1a11a58cc' | ACTIVE |
+--------------------------------------+------+-------------------+----------------------------------------------------------------------------+--------+
Check the server port is added to default firewall group
openstack firewall group show default -fjson | jq '.["Ports"]'
[
"20b5fc16-ee0d-4645-98bf-01ee59e8e2a2",
"270300c8-0a30-4b5b-859a-d1a5d7b94fa3",
"882e8994-3f0f-4664-bbf6-92165cdb72c5",
"a926677b-ccd8-4e30-ab09-3d4dbef97cd1",
"b347d215-2b82-4de8-aa8e-420114668d4e"
]
Check one of the listed ports belongs to the router
openstack port show 270300c8-0a30-4b5b-859a-d1a5d7b94fa3
+-------------------------+---------------------------------------------------------------------------------------+
| Field | Value |
+-------------------------+---------------------------------------------------------------------------------------+
| admin_state_up | UP |
| allowed_address_pairs | |
| binding_host_id | None |
| binding_profile | None |
| binding_vif_details | None |
| binding_vif_type | None |
| binding_vnic_type | normal |
| created_at | 2025-04-22T08:20:18Z |
| data_plane_status | None |
| description | |
| device_id | 1a41e860-eb39-490e-8b75-cfc2803f4708 |
| device_owner | network:router_interface_distributed |
| device_profile | None |
| dns_assignment | fqdn='host-10-0-0-1.openstacklocal.', hostname='host-10-0-0-1', ip_address='10.0.0.1' |
| dns_domain | |
| dns_name | |
| extra_dhcp_opts | |
| fixed_ips | ip_address='10.0.0.1', subnet_id='b4e950f6-949a-40bb-8c65-9f61970cb71e' |
| hardware_offload_type | None |
| hints | |
| id | 270300c8-0a30-4b5b-859a-d1a5d7b94fa3 |
| ip_allocation | None |
| mac_address | fa:16:3e:ee:ea:63 |
| name | |
| network_id | 0ae5f5b4-9dc9-4ab9-ad06-77d96b08ca76 |
| numa_affinity_policy | None |
| port_security_enabled | False |
| project_id | 7efc953644d04c968ec883a1337930d2 |
| propagate_uplink_status | None |
| resource_request | None |
| revision_number | 1083 |
| qos_network_policy_id | None |
| qos_policy_id | None |
| security_group_ids | |
| status | ACTIVE |
| tags | |
| trunk_details | None |
| trusted | None |
| updated_at | 2025-08-28T08:27:17Z |
+-------------------------+---------------------------------------------------------------------------------------+
Create and assign a floating ip to the server
openstack floating ip create shared0 -c name
+-------+--------------+
| Field | Value |
+-------+--------------+
| name | 10.30.10.84 |
+-------+--------------+
openstack server add floating ip fwaastest01 10.30.10.84
openstack server show fwaastest01 -c name -c addresses
+-----------+-----------------------------------------------+
| Field | Value |
+-----------+-----------------------------------------------+
| addresses | 01_demo_k8s-vlan-net=10.10.21.42, 10.30.10.84 |
| name | fwaastest01 |
+-----------+-----------------------------------------------+
Try to access via ssh, should not work (default ingress policy)
ssh ubuntu@10.30.10.84 -v
...
Create a new rule, which allows traffic to port 22 and add it to the default ingress policy
openstack firewall group rule create --name allow-ssh --protocol tcp --destination-port 22 --action allow
+-------------------------------+--------------------------------------+
| Field | Value |
+-------------------------------+--------------------------------------+
| Action | allow |
| Description | |
| Destination Firewall Group ID | |
| Destination IP Address | None |
| Destination Port | 22 |
| Enabled | True |
| Firewall Policy | None |
| ID | 39737b54-485b-4ec7-93bd-08091d4e96f2 |
| IP Version | 4 |
| Name | allow-ssh |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Protocol | tcp |
| Shared | False |
| Source Firewall Group ID | |
| Source IP Address | None |
| Source Port | None |
| Summary | |
| created_at | 2025-08-28T08:58:33Z |
| revision_number | 0 |
| tags | [] |
| updated_at | 2025-08-28T08:58:33Z |
+-------------------------------+--------------------------------------+
openstack firewall group policy add rule "default ingress" allow-ssh
Inserted firewall rule 39737b54-485b-4ec7-93bd-08091d4e96f2 in firewall policy default ingress
openstack firewall group policy show "default ingress"
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
| Audited | False |
| Description | Ingress firewall policy |
| Firewall Rules | ['39737b54-485b-4ec7-93bd-08091d4e96f2', '88354c14-12a3-43a9-a095-7a5115c6841d', 'fad35b29-6752-4955-b62e-739062378f5f'] |
| ID | f3592619-e8dc-4d38-9235-b84eec07f266 |
| Name | default ingress |
| Project | 7efc953644d04c968ec883a1337930d2 |
| Shared | False |
| created_at | 2025-08-19T14:05:22Z |
| revision_number | 1 |
| tags | [] |
| updated_at | 2025-08-28T08:59:36Z |
+-----------------+--------------------------------------------------------------------------------------------------------------------------+
Try to access via ssh, now it should work (port 22 allowed)
ssh ubuntu@10.30.10.84 -v
...
Set the Source IP address in the rule, to allow traffic only from a specific IP
openstack firewall group rule set --source-ip-address 10.30.10.77 allow-ssh
Try to connect from the source ip to the server via ssh, it should still work
ssh ubuntu@10.30.10.84 -v
Set the Source IP address in the rule, to allow traffic only from one another IP
openstack firewall group rule set --source-ip-address 10.30.10.100 allow-ssh
Try to connect from the source ip to the server via ssh, it should not work, but it does
ssh ubuntu@10.30.10.84 -v
Check incomming traffic on the target host
root@fwaastest01:~# tcpdump -nve -i ens3 port 22 and host 10.30.10.77
tcpdump: listening on ens3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:17:23.674025 fa:16:3e:8b:c7:b8 > fa:16:3e:36:34:3a, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 60, id 5237, offset 0, flags [DF], proto TCP (6), length 60)
10.30.10.77.47115 > 10.10.21.42.22: Flags [S], cksum 0xc08f (correct), seq 1696342916, win 64860, options [mss 1410,sackOK,TS val 2199360205 ecr 0,nop,wscale 7], length 0
Expectation: if we connect from the IP, we set in the FW Rule, it
should work. Connection from any other IP should not work
Reality: It's possible to connect from any IP, the source ip address
is not respected.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/2121582/+subscriptions
| Thread Previous • Date Previous • Date Next • Thread Next |
