F5BigFwRulelist¶
Overview¶
The F5BigFwRulelist Custom Resource (CR) consists an array of ACL rules. Rulelist has the same features as standard ACL rules.
Parameters¶
The tables below describe the F5BigFwRulelist CR parameters.
metadata¶
| Parameter | Description |
|---|---|
name |
The name of the F5BigFwRuleList. |
namespace |
The Kubernetes namespace where the firewall policy is installed. |
spec¶
| Parameter | Description |
|---|---|
rule.name |
Specifies the name of the firewall rule. |
rule.ipProtocol |
Specifies the IP protocol against which the packet will be compared. The default value is "any". For a complete list of supported protocols, refer to the F5BigFwRulelist IP Protocols. |
rule.action |
Specifies the action to apply to a packet that matches ACL rule: "accept", "drop", or "reject". |
rule.logging |
Enables or disables logging for ACL rule matches. Valid values are true or false (default). |
rule.source.addresses |
Specifies a list of IPv4 or IPv6 source addresses against which the packet will be compared. Supported formats include a single host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
rule.source.addressLists |
Specifies the F5BigCneAddressList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true:- This attribute specifies one or more addressLists, and - All of these addressLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct source address. For more information, refer to the Defining Address and Port Lists. |
rule.source.ports |
Specifies a list of source service ports or port ranges against which the packet will be compared. Port 0 is a valid value and functions as a service port, not as a wildcard. |
rule.source.portLists |
Specifies the F5BigCnePortList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true:- This attribute is specifying one or more portLists, and - All of these portLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct source port. For more information, refer to the Defining Address and Port Lists. |
rule.source.vlans |
Specifies a list of F5BigNetVlans in an array. |
rule.source.zones |
Specifies an array of VLAN zone names (strings). By default, this is an empty array. The ACL/NAT rule is internally disabled and not used for matching traffic when: - This attribute is specifying one or more zones, and - All of these zones are empty or do not exist (soft-reference case), or refer to only non-existent VLANs. For more information, refer to F5BigCneZone CR. |
rule.source.geos |
Specifies the geographical location (country or region) from which the traffic originates. The GEO entries are considered as another way of specifying IP addresses, so they are ORed with IP addresses specified either directly in the rule or in referred address lists. Other matching criteria, like ports, are ANDed with GEOs/IP addresses, so for matching a firewall rule the traffic needs to match (a GEO or an IP) and all the other matching criteria. By default, traffic is allowed from all geographical locations. By default, traffic is allowed from all geographical locations. Use rule.source.geos to allow or block traffic based on the source location in the following formats: - Country Codes (2-letter codes): For example, "US" for the United States or "IN" for India. - Country and Region format: For example, "US:California" (CountryCode:RegionName) Notes: - The CountryCode must match the code2 value in the GeoIPv3_Countries_Regions.json file, which is part of the GeoIP Database. For more information, refer GeoIP Database. - The RegionName must match the name_f5 value (F5-assigned region names) in the same GeoIPv3_Countries_Regions.json file. For more information, refer GeoIP Database. |
rule.destination.addresses |
Specifies a list of IPv4 or IPv6 destination addresses against which the packet will be compared. Supported formats include a single host 2002::10:10:10:1, subnet 2002::10:10:0:0/96, or range 2002::10:10:10:1-2002::10:10:10:20. |
rule.destination.ports |
Specifies a list of destination service ports or port ranges against which the packet will be compared. Port 0 is a valid value and functions as a specific service port, not as a wildcard. |
rule.destination.zones |
Specifies an array of VLAN zone names (strings). By default, this is empty array. The ACL/NAT rule is internally disabled and not used for matching traffic when: - This attribute is specifying one or more zones, and - All of these zones are empty or do not exist (soft-reference case), or refer to only non-existent VLANs. For more information, refer to F5BigCneZone CR. |
rule.destination.geos |
Specifies the geographical location (country or region) to which the traffic is directed. The GEO entries are considered as another way of specifying IP addresses, so they are ORed with IP addresses specified either directly in the rule or in referred address lists. Other matching criteria, like ports, are ANDed with GEOs/IP addresses, so for matching a firewall rule the traffic needs to match (a GEO or an IP) and all the other matching criteria. By default, traffic is allowed from all geographical locations. By default, traffic is allowed to all geographical locations. Use rule.destination.geos to allow or block traffic based on the destination location in the following formats: - Country Codes (2-letter codes): For example, "US" for the United States or "IN" for India. - Country and Region format: For example, "US:California" (CountryCode:RegionName) Notes: - The CountryCode must match the code2 value in the GeoIPv3_Countries_Regions.json file, which is part of the GeoIP Database. For more information, refer GeoIP Database. - The RegionName must match the name_f5 value (F5-assigned region names) in the same GeoIPv3_Countries_Regions.json file. For more information, refer GeoIP Database. |
rule.destination.addressLists |
Specifies the F5BigCneAddressList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disbaled and not used for matching traffic when all the following conditions are true: - This attributes specifies one or more addressLists, and - All of these addressLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct destination address. For more information, reder to the Defining Address and Port Lists. |
rule.destination.portLists |
Specifies the F5BigCnePortList by its metadata.name against which the packet will be compared. The ACL/NAT rule is internally disabled and not used for matching traffic when all the following conditions are true:- This attribute specifies one or more portLists, and - All of these portLists are empty or do not exist (soft-reference case), and - The rule does not specify any direct destination port. For more information, reder to the Defining Address and Port Lists. |
servicePolicy |
Specifies the Service Policy to apply. |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFwRulelist
metadata:
name: "rulelist2"
namespace: "cnf-gateway"
spec:
rule:
- name: rule1
ipProtocol: tcp
source:
addresses:
- "11.45.43.22.102"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "80"
zones:
- “zone3“
- “zone4“
addresses:
- "22.55.44.44.102"
action: "accept"
logging: true
servicePolicy: "service-policy1"
- name: rule2
ipProtocol: tcp
source:
addresses:
- "11.45.43.22.103"
zones:
- "zone1"
- "zone2"
destination:
ports:
- "80"
zones:
- “zone3“
- “zone4“
addresses:
- "22.55.44.44.103"
action: "accept"
logging: true
- name: rule3
source:
geos:
- "US:California"
destination:
geos:
- "MX:Baja California"
- "MX:Chihuahua"
action: "accept"
logging: true
Maximum Firewall Rule List Size Limit¶
When F5BigFwRulelist CRs are installed into the cluster, the firewall rule list set is declared in the metadata.annotations section of the installed CR. It is important to note that Kubernetes does not allow the metadata.annotations section to exceed 262144 bytes of data, and will log an error message stating this size limitation.
CR ShortName¶
CR shortNames provide a convenient way to view installed CRs and their configuration parameters. They can also be used to delete CR instances more easily. The F5BigFwRulelist CR shortName is fwrl.
View CR instance:
oc get <fwrl> -n <namespace>
View CR configuration:
oc get <fwrl> -n <namespace> -o yaml
Creating a Firewall Rule List and Firewall Policy¶
To create a firewall rule list using the F5BigFwRulelist CR, you must first define the rule list and then reference its name within the F5BigFwPolicy CR. For additional details, refer to the F5BigFwPolicy CR.
Prerequisites
Ensure that you have the following:
Installed the BIG-IP Controller.
A Linux-based workstation.
Procedure
Tip: Open a second shell to view the CNFs Event Logs while installing.
Copy the example F5BigFwRuleList CR below into a YAML file to create a firewall rule list named
rulelist1. This rule list allows HTTP traffic (port 80) from the 10.10.10.0/24 subnet and drops all other traffic with logging enabled.apiVersion: "k8s.f5net.com/v1" kind: F5BigFwRulelist metadata: name: "rulelist1" namespace: "cnf-gateway" spec: rule: - name: "accept-http" ipProtocol: tcp source: addresses: - "10.10.10.0/24" destination: ports: - "80" action: "accept" logging: true - name: "drop-all" ipProtocol: any source: addresses: - "0.0.0.0/0" action: drop logging: true
Apply the F5BigFwRulelist CR that you have created.
oc apply -f f5-cnf-rulelist.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwRulelist CR was added/updated.
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Rulelist", Rulelist cnf-gateway/rulelist1 was added/updated
Copy the example F5BigFwPolicy CR below into a YAML file to reference the rulelist1 created in Step 1. This policy also includes a direct rule to allow specific TCP traffic with logging enabled.
apiVersion: "k8s.f5net.com/v1" kind: F5BigFwPolicy metadata: name: "cnf-fw-policy" namespace: "cnf-gateway" spec: rule: - name: ACL-rule-1 rulelist: rulelist1 - name: ACL-rule-2 ipProtocol: tcp source: addresses: - "55.45.42.21.100" zones: - "zone1" - "zone2" destination: addresses: - "58.48.48.29.100" zones: - "zone3" - "zone4" action: "accept" logging: true
Apply the F5BigFwPolicy CR that you have created.
oc apply -f cnf-fw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigFwPolicy CR was added/updated.
I0202 12:00:00.12346 1 event.go:282 Event(v1.ObjectReference{Kind:"F5FirewallPolicy", FirewallPolicy cnf-gateway/cnf-fw-policy was added/updated
Verifying Firewall Rule List Statistics with TMM Debug Sidecar¶
If the TMM Debug sidecar is enabled (default), follow these steps to verify the firewall rule list statistics.
Log in to the TMM debug Pod.
In this example, the TMM debug container is in the cnf-gateway namespace:
oc exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigFwRulelist statistics.
tmctl -d blade fw_rule_stat
context_type context_name ------------ ------------------------------------------ virtual cnf-gateway-cnf-fw-policy-SecureContext_vs rule_name micro_rules counter last_hit_time action ------------------------------------ ----------- ------- ------------- ------ ACL-rule-2-firewallpolicyrule 1 0 0 2 rulelist1-firewallrulelist1 1 1 16904491000 2
Feedback
Provide feedback to improve this document by emailing cnfdocs@f5.com.