Firewall modules give the same protection to devices on SDN as traditional firewalls on a physical network. Access control list (ACL) rules control whether a flow should be set up to a specific destination. The firewall application has been implemented as a Floodlight module that enforces ACL rules on OpenFlow-enabled switches in the network. The packet monitoring is done using the packet-in messages.
Essential codes used in the firewall module are:
- For enabling the module:
curl http://localhost:8080/wm/firewall/module/enable/json -X
PUT -d ''
- Adding an allow rule for all flows to pass through switch 00:00:00:00:00:00:00:A5:
curl -X POST -d '{"switchid": "00:00:00:00:00:00:00:A5"}'
http://localhost:8080/wm/firewall/rules/json
The firewall takes an explicit deny rule except when an explicit allow rule is implemented.
- Add an allow rule for UDP to work between IP hosts 20.0.1.14 and 20.0.1.99, and then block port 25:
curl -X POST -d '{"src-ip": "20.0.1.14 /32", "dst-ip":
"20.0.1.99/32", "dl-type":"ARP" }'
http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"dst-ip": "20.0.1.99/32", "dst-ip":
"20.0.1.14 /32", "dl-type":"ARP" }'
http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "20.0.1.14 /32", "dst-ip":
"20.0.1.99/32", "nw-proto":"UDP" }'
http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "20.0.1.99/32", "dst-ip":
"20.0.1.14 /32", "nw-proto":"UDP" }'
http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "20.0.1.14 /32", "dst-ip":
"20.0.1.99/32", "nw-proto":"UDP", "tp-src":"25", "action":"DENY"
}' http://localhost:8080/wm/firewall/rules/json
curl -X POST -d '{"src-ip": "20.0.1.99/32", "dst-ip":
"20.0.1.14 /32", "nw-proto":"UDP", "tp-src":"25", "action":"DENY"
}' http://localhost:8080/wm/firewall/rules/json