F5BigFwPolicy¶
Overview¶
The F5BigFwPolicy Custom Resource (CR) applies industry-standard firewall rules to the Traffic Management Microkernel (TMM), ensuring that only connections initiated by trusted clients will be accepted. When applying a new F5BigFwPolicy CR configuration, firewall rules are first sent to the Application Firewall Management (AFM) Pod to be compiled into a binary large object (BLOB), improving processing performance. Once the firewall BLOB is compiled, it is sent to the TMM Proxy Pod to begin inspecting and filtering network packets.
This document guides you through understanding, configuring and installing a simple F5BigFwPolicy CR.
CR parameters¶
The tables below describe the F5BigFwPolicy CR parameters
metadata¶
Parameter | Description |
---|---|
name |
The name of the Firewall Policy. This value is referencd by CNF Traffic Management CRs. |
namespace |
The Kubernetes Namespace the firewall Policy will install to. |
spec¶
Parameter | Description |
---|---|
rule.name |
The name of the firewall rule. A policy can contain multiple firewall rules. |
rule.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The default value is "any". The F5BigFwPolicy IP Protocols document contains the full list of supported protocols. |
rule.action |
Specifies the action that will be applied to packet that matches ACL rule: "accept", "drop", or "reject". |
rule.logging |
Enables ACL rule match logging: true or false (default). |
rule.source.addresses |
Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared: host 2002::33:22, subnet 2003::/64, or range 2002::33:22-2002::33:50. |
rule.source.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source address |
rule.source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. |
rule.source.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct source port |
rule.source.vlans |
Specifies a list of F5BigNetVlans in an array. |
rule.source.zones |
Specifies an array of VALN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs |
rule.destination.addresses |
Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared: host 2002::33:22, subnet 2003::/64, or range 2002::33:22-2002::33:50. |
rule.destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value, that functions as a service port, not as a wildcard. |
rule.destination.zones |
Specifies an array of VALN ZONE names (strings) and will be an empty array by default. For more information, refer to F5BigCneZone guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while: - This attribute is specifying one or more zones and - All of these zones are empty or do not exist (soft-reference case) or refer to only non-existent VLANs |
rule.destination.addressLists |
Specifies the F5BigCneAddressList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more addressLists and - All of these addressLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination address |
rule.destination.portLists |
Specifies the F5BigCnePortList by metadata.name against which the packet will be compared. See the Address and Port Lists section in this guide. The ACL/NAT rule is disabled internally and is not used for matching traffic while:- This attribute is specifying one or more portLists and - All of these portLists are empty or do not exist (soft-reference case) and - The rule does not specify any direct destination port |
rule.ruleList |
Specifies the firewall rulelist name this rule references. |
To add, modify, or delete the firewall rules easily, you need to break the firewall rules list into multiple smaller units and store them in F5BigFwRulelist CR.
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwPolicy
metadata:
name: "cnf-fw-policy"
namespace: "cnf-gateway"
spec:
rule:
- name: allow-10-20-http
action: "accept"
logging: true
ipProtocol: tcp
source:
addresses:
- "2002::10:20:0:0/96"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "80"
zones:
- "zone3"
- "zone4"
- name: allow-10-30-ftp
action: "accept"
logging: true
ipProtocol: tcp
source:
addresses:
- "2002::10:30:0:0/96"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "20"
- "21"
zones:
- "zone3"
- "zone4"
- name: drop-all
action: "drop"
logging: true
ipProtocol: any
source:
addresses:
- "::0/0"
- "0.0.0.0/0"
Maximum rule size¶
When F5BigFwPolicy CRs are installed into the cluster, the firewall rule set is declared in the metadata.annotations
section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations
section to exceed 262144 bytes of data, and will log an error message stating this size limitation.
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigFwPolicy CR shortName is fwpol.
View CR instance:
oc get fwpol -n <namespace>
View CR configuration:
oc get fwpol -n <namespace> -o yaml
Address and Port lists¶
Complex lists of IP addresses and service ports can be configured using the F5BigCneAddresslist and F5BigCnePortlist CRs. The address and port list CRs can then be referenced by the F5BigDdosProfile CR.
Address list:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigCneAddresslist
metadata:
name: "allow-ipv6"
namespace: "cnf-gateway"
spec:
addresses:
- "2002::33:22-2002::33:50"
- "2003::/64"
- "2004::1"
Port list:
apiVersion: "k8s.f5net.com/v1"
kind: F5BigCnePortlist
metadata:
name: allow-5000s
spec:
ports:
- "5000-5500"
Firewall mode¶
CNFs default firewall mode controls how network packets are handled when either of these conditions are met:
- None of the installed CNFs CRs reference a F5BigFwPolicy.
- A CNFs CR does reference a F5BigFwPolicy, however, packets do not match any of the rules.
The table below describes each of the default firewall mode settings:
Mode | Behavior |
---|---|
accept |
Network packets are accepted and processed by TMM. This is the default setting. |
drop |
Network packets are silently dropped. |
reject |
Network packets are rejected. For TCP connections, a RST (reset) packet is sent in reponse. |
By default, the firewall mode accepts all network packets not matching a F5BigFwPolicy firewall rule. You can modify this behavior prior using the F5BigContextGlobal Custom Resource (CR).
Installation¶
Use these steps to install the example F5BigFwPolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
Optional: The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by the F5BigLogProfile.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Install the F5BigLogHslpub CR:
oc apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
Optional: The example F5BigLogProfile CR specifies firewall events such as aclMatchAccept and aclMatchDrop, and sends them to the remove logging server. Copy and paste the example into a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: name: "cnf-logs" firewall: enabled: true network: publisher: "cnf-hsl-pub" events: aclMatchAccept: true aclMatchDrop: true tcpEvents: true translationFields: true
Install the F5BigLogProfile CR:
oc apply -f cnf-log-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12348 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
The example F5BigFwPolicy CR allows HTTP port 80 and FTP ports 20 and 21 from source IP subnet 2002::10:30:0:0/96. Copy and paste the example into a YAML file:
Note: The F5BigFwPolicy CR will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-policy" namespace: "cnf-gateway" spec: rule: - name: allow-http action: "accept" logging: true ipProtocol: tcp source: addresses: - "2002::10:20:0:0/96" zones: - "zone1" - "zone2" destination: ports: - "80" zones: - "zone3" - "zone4" - name: allow-ftp action: "accept" logging: true ipProtocol: tcp source: addresses: - "2002::10:30:0:0/96" zones: - "zone1" - "zone2" destination: ports: - "20" - "21" zones: - "zone3" - "zone4" - name: drop-all action: "drop" logging: true ipProtocol: any source: addresses: - "::0/0" - "0.0.0.0/0"
Install the F5BigFwPolicy CR:
oc apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated:
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
Optional: The example F5BigContextSecure CR listens for connections destined to the 2002::200:200:200:0/112 subnet on the subscriber-vlan interface, and references all of the installed CRs. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 firewallEnforcedPolicy: "cnf-fw-policy" logProfile: "cnf-log-profile" ipProtocol: "any" profile: "fastL4" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
oc apply -f f5-cnf-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated
Continue to the Additional CRs and Firewall statistics sections.
Additional CRs¶
The F5BigFwPolicy can also be referenced by these CNFs CRs:
- F5BigAlgFtp - File Transfer Protocol (FTP) application layer gateway services.
- F5BigAlgTftp - Trivial File Transfer Protocol (TFTP) application layer gateway services.
- F5BigAlgPptp - Point-to-Point Tunneling Protocol (PPTP) application layer gateway services.
- F5BigAlgRtsp - Real Time Streaming Protocol (RTSP) application layer gateway services.
Firewall statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify firewall filtering statics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigFwPolicy statistics:
tmctl -d blade fw_rule_stat
context_type context_name ------------ ------------------------------------------ virtual cnf-gateway-cnf-fw-policy-SecureContext_vs rule_name micro_rules counter last_hit_time action ------------------------------------ ----------- ------- ------------- ------ allow-10-20-http-firewallpolicyrule 1 2 1638572860 2 allow-10-30-ftp-firewallpolicyrule 1 5 1638573270 2
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.