Reputation: 155
Ping to all hosts works in spite of enabling firewall rule on SDN Floodlight Controller
I am running Floodlight SDN controller remotely and have a mininet topology with 2 switches and 2 hosts. In spite of enabling the firewall rule using REST API [curl command], I am able to ping all the hosts.
Mininet Topo-
sudo mn --topo=linear,2 --mac --controller=remote,ip=192.168.56.107 --switch=ovsk,protocols=OpenFlow13
Floodlight Controller-
sdn@sdn-controllers:~/floodlight$ sudo java -jar target/floodlight.jar
REST API enabling Firewall-
sh curl http://192.168.56.107:8080/wm/firewall/module/enable/json -X PUT -d ''
Pingall works even after enabling firewall rule-
Why is the traffic not being dropped? What am I missing out on?
Upvotes: 2
Views: 1033
Answers (1)
Reputation: 7842
The below command just enables the firewall and does not enable any rule in it to control packet flow by default. Assume the controller runs on localhost.
sh curl http://localhost:8080/wm/firewall/module/enable/json -X PUT -d ''
You can check the firewall status using below command and verify whether the firewall is really enabled :
sh curl http://localhost:8080/wm/firewall/module/status/json
By default firewall denies all traffic unless an explicit ALLOW rule is created. You may need to check the list of existing rules by querying /wm/firewall/rules/json to see if any ALLOW rules exist somehow in your network topology.
You can add rule at switch of interest as below where the switch id of interest should be as per your topology. Lets consider switch1's id is 00:00:00:00:00:00:00:01. The below command adds an ALLOW rule for all flows to pass through switch 00:00:00:00:00:00:00:01.
sh curl POST -d '{"switchid : "00:00:00:00:00:00:00:01"}' http://localhost:8080/wm/firewall/rules/json
The existence of above rule in switch shall allow ping between hosts connected to switch1 only.
Let's consider the h1 ip address is 10.0.1.1 and that of h2 is 10.0.1.2.
The below command shall add an ALLOW rule for all flows between host 10.0.1.1 and host 10.0.1.2. Note that not specifying action implies ALLOW rule.
curl -X POST -d '{"src-ip": "10.0.1.1/32", "dst-ip": "10.0.1.2/32"}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "10.0.1.2/32", "dst-ip": "10.0.1.1/32"}' http://localhost:8080/wm/firewall/rules/json
The existence of above rule shall allow ping between mentioned hosts
To block traffic between hosts, you may need to add the DENY rule as below using host IP address of your interest as per your network topology.
sh curl -X POST -d '{"src-ip" : "10.0.1.1/32", "dst-ip": "10.0.1.2/32", "nw-proto":"ICMP", "action": "DENY" }' http://localhost::8080/wm/firewall/rules/json
The existence of above rule shall block ping between the mentioned hosts - Now the pingall command shall display output such that ping between host 10.0.1.1(h1) and 10.0.1.2(h2) is not successful. In such a case, the below command shall also show ping is not happening between h1 and h2
h1 ping h2
Upvotes: 1
Related Questions
- Opendaylight, Mininet and Ubuntu. No ARP, no ping
- Firewall config for Amazon Lightsail with CDN distribution
- GCP VM has firewall to allow /24 but some IPs get rejected
- Can connect with ping but not curl
- Ping fails in Mininet, RYU - OpenFlow 1.3
- Floodlight controller routing algorithme
- how to forward packets to OpenDaylight controller
- Push Flows into Floodlight Controller
- GCloud Firewall rules on network load balancer
- Openflow : Hosts can't ping 100% packet loss - miniedit