F5BigFwPolicy

Overview

The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Proxy Pod to begin inspecting and filtering network packets.

This document guides you through understanding, configuring and installing a simple F5BigFwPolicy CR.

CR parameters

The tables below describe the F5BigFwPolicy CR parameters

metadata

Parameter Description
name The name of the Firewall Policy. This value is referencd by CNF Traffic Management CRs.
namespace The Kubernetes Namespace the firewall Policy will install to.

spec

Parameter Description
rule.name The name of the firewall rule. A policy can contain multiple firewall rules.
rule.ipProtocol Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwPolicy IP Protocols document contains the full list of supported protocols.
rule.action Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject".
rule.logging Enables ACL rule match logging: true or false (default).
rule.source.addresses Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::33:22, subnet 2003::/64, or range 2002::33:22-2002::33:50.
rule.source.addressLists Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more addressLists and
- All of these addressLists are empty or do not exist (soft-reference case) and
- The rule does not specify any direct source address
rule.source.ports Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.source.portLists Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more portLists and
- All of these portLists are empty or do not exist (soft-reference case) and
- The rule does not specify any direct source port
rule.source.vlans Specifies a list of F5BigNetVlans in an array.
rule.source.zones Specifies an array of VALN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more zones and
- All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs
rule.destination.addresses Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::33:22, subnet 2003::/64, or range 2002::33:22-2002::33:50.
rule.destination.ports Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard.
rule.destination.zones Specifies an array of VALN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more zones and
- All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs
rule.destination.addressLists Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more addressLists and
- All of these addressLists are empty or do not exist (soft-reference case) and
- The rule does not specify any direct destination address
rule.destination.portLists Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:
- This attribute is specifying one or more portLists and
- All of these portLists are empty or do not exist (soft-reference case) and
- The rule does not specify any direct destination port
rule.ruleList Specifies the firewall rulelist name this rule references.

To add, modify, or delete the firewall rules easily, you need to break the firewall rules list into multiple smaller units and store them in F5BigFwRulelist CR.

CR Example

apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
  name: "cnf-fw-policy"
  namespace: "cnf-gateway"
spec:
  rule:
    - name: allow-10-20-http
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:20:0:0/96"
        zones:
          - "zone1"
          - "zone2"  
      destination:
        ports:
          - "80"
        zones:
          - "zone3"
          - "zone4"
    - name: allow-10-30-ftp
      action: "accept"
      logging: true
      ipProtocol: tcp
      source:
        addresses:
          - "2002::10:30:0:0/96"
        zones:
          - "zone1"
          - "zone2"
      destination:
        ports:
          - "20"
          - "21"
        zones:
          - "zone3"
          - "zone4"
    - name: drop-all
      action: "drop"
      logging: true
      ipProtocol: any
      source:
        addresses:
          - "::0/0"
          - "0.0.0.0/0"

Maximum rule size

When F5BigFwPolicy CRs are installed into the cluster, the firewall rule set is declared in the metadata.annotations section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigFwPolicy CR shortName is fwpol.

View CR instance:

oc get fwpol -n <namespace>

View CR configuration:

oc get fwpol -n <namespace> -o yaml

Address and Port lists

Complex lists of IP addresses and service ports can be configured using the F5BigCneAddresslist and F5BigCnePortlist CRs. The address and port list CRs can then be referenced by the F5BigDdosProfile CR.

Address list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
  name: "allow-ipv6"
  namespace: "cnf-gateway"
spec:
  addresses:
   - "2002::33:22-2002::33:50"
   - "2003::/64"
   - "2004::1"

Port list:

apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
  name: allow-5000s
spec:
  ports:
  - "5000-5500"

Firewall mode

CNFs default firewall mode controls how network packets are handled when either of these conditions are met:

  • None of the installed CNFs CRs reference a F5BigFwPolicy.
  • A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.

The table below describes each of the default firewall mode settings:

Mode Behavior
accept Network packets are accepted and processed by TMM. This is the default setting.
drop Network packets are silently dropped.
reject Network packets are rejected. For TCP connections, a RST (reset) packet is sent in reponse.

By default, the firewall mode accepts all network packets not matching a F5BigFwPolicy firewall rule. You can modify this behavior prior using the F5BigContextGlobal Custom Resource (CR).

Requirements

Ensure you have:

Installation

Use these steps to install the example F5BigFwPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

_images/spk_info.png Tip: Open a second shell to view the CNFs Event Logs while installing.

  1. Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:

    Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigLogHslpub
    metadata:
      name: "cnf-hsl-pub"
      namespace: "cnf-gateway"
    spec:
      pool:
      - name: "hsl-pool"
        endpoint:
        - "[2002::10:30:2:220]:514"
      syslog:
      - name: "cnf-syslog"
        format: "rfc5424"
        protocol: "udp"
        pool: "hsl-pool"
    
  2. Install the F5BigLogHslpub CR:

    oc apply -f cnf-hsl-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
    F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
    
  3. Optional: The example F5BigLogProfile CR specifies firewall events such as aclMatchAccept and aclMatchDrop, and sends them to the remove logging server. Copy and paste the example into a YAML file:

    Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigLogProfile
    metadata:
      name: "cnf-log-profile"
      namespace: "cnf-gateway"
    spec:
      name: "cnf-logs"
      firewall:
        enabled: true
        network:
          publisher: "cnf-hsl-pub"
          events:
            aclMatchAccept: true
            aclMatchDrop: true
            tcpEvents: true
            translationFields: true
    
  4. Install the F5BigLogProfile CR:

    oc apply -f cnf-log-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

    I0202 12:00:00.12348   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
    LogProfile cnf-gateway/cnf-log-profile was added/updated
    
  5. The example F5BigFwPolicy CR allows HTTP port 80 and FTP ports 20 and 21 from source IP subnet 2002::10:30:0:0/96. Copy and paste the example into a YAML file:

    Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigFwPolicy
    metadata:
      name: "cnf-fw-policy"
      namespace: "cnf-gateway"
    spec:
      rule:
        - name: allow-http
          action: "accept"
          logging: true
          ipProtocol: tcp
          source:
            addresses:
              - "2002::10:20:0:0/96"
            zones:
              - "zone1"
              - "zone2"
          destination:
            ports:
              - "80"
            zones:
              - "zone3"
              - "zone4"
        - name: allow-ftp
          action: "accept"
          logging: true
          ipProtocol: tcp
          source:
            addresses:
              - "2002::10:30:0:0/96"
            zones:
              - "zone1"
              - "zone2"
          destination:
            ports:
              - "20"
              - "21"
            zones:
              - "zone3"
              - "zone4"
        - name: drop-all
          action: "drop"
          logging: true
          ipProtocol: any
          source:
            addresses:
              - "::0/0"
              - "0.0.0.0/0"
    
  6. Install the F5BigFwPolicy CR:

    oc apply -f cnf-fw-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:

    I0202 12:00:00.12346   1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy",
    FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
    
  7. Optional: The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references all of the installed CRs. Copy and paste the example into a YAML file:

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-context"
      namespace: "cnf-gateway"
    spec:
       ipv6destinationAddress: "2002::200:200:200:0/112"
       destinationPort: 0
       firewallEnforcedPolicy: "cnf-fw-policy"
       logProfile: "cnf-log-profile"
       ipProtocol: "any"
       profile: "fastL4"
       vlans:
         vlanList:
           - "subscriber-vlan"
    
  8. Install the F5BigContextSecure CR:

    oc apply -f f5-cnf-context.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-context was added/updated
    
  9. Continue to the Additional CRs and Firewall statistics sections.

Additional CRs

The F5BigFwPolicy can also be referenced by these CNFs CRs:

  • F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
  • F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
  • F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
  • F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.

Firewall statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.

  1. Log in to the TMM debug Pod:

    In this example, the TMM debug container is in the cnf-gateway namespace:

    oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
    
  2. Verify the F5BigFwPolicy statistics:

    tmctl -d blade fw_rule_stat
    
    context_type context_name
    ------------ ------------------------------------------
    virtual      cnf-gateway-cnf-fw-policy-SecureContext_vs
    
    rule_name                            micro_rules counter last_hit_time action
    ------------------------------------ ----------- ------- ------------- ------
    allow-10-20-http-firewallpolicyrule            1       2    1638572860      2
    allow-10-30-ftp-firewallpolicyrule             1       5    1638573270      2
    

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.