wiki:GENIExperimenter/Tutorials/OpenFlowNetworkDevices/Firewall

OpenFlow Firewall

This exercise is based on as assignment by Sonia Famy, Ethan Blanton and Sriharsha Gangam of Purdue University.

For this experiment we will run an OpenFlow Firewall.

http://groups.geni.net/geni/raw-attachment/wiki/GENIExperimenter/Tutorials/OpenFlowNetworkDevices/Firewall/Firewall-2.png

  1. Log into switch and run the following commands to download and run the firewall controller:
    sudo pip install oslo.config
    
  2. Run a simple learning switch controller:
    cd /tmp/ryu
    ./bin/ryu-manager --verbose ryu/app/simple_switch.py
    
  3. To verify simple connectivity, log into right in a separate ssh terminal and ping left
    ping left
    
    Notice the printouts of the ryu simple switch controller.
  4. Back in the switch ssh session, stop your controller with Ctrl-c and remove all your flows using the following command:
    sudo ovs-ofctl del-flows br0
    
    (optinal) Notice that you can no longer ping left from right.
  5. On the switch ssh session, make your switch into a firewall by downloading and running the appropriate Ryu controller:
    cd
    wget https://github.com/GENI-NSF/geni-tutorials/raw/master/OpenFlowNetworkDeviceFirewall/gpo-ryu-firewall.tar.gz
    tar xvfz gpo-ryu-firewall.tar.gz
    cd gpo-ryu-firewall/
    /tmp/ryu/bin/ryu-manager simple_firewall.py
    
    WARNING If at some point your controller prints an error, kill it (ctrc-c) and start it again.
  6. On the right ssh session run a nc server:
    nc -l 5001
    
  7. Log into left and run a nc client:
    nc 10.10.11.1 5001
    
  8. Type some text in left and it should appear in right and vise versa.
  9. In the terminal for switch you should see messages similar to those below about the flow being passed or not:
    Extracted rule {'sport': '57430', 'dport': '5001', 'sip': '10.10.10.1', 'dip': '10.10.11.1'}
    Allow Connection rule {'dport': '5001', 'dip': '10.10.11.1', 'sip': '10.10.10.1', 'sport': 'any'}
    
  10. Type CTRL-C (on left or right) to kill nc.
  11. Run a nc server on port 5002, then 5003.
    • Compare the observed behavior to the contents of ~/gpo-ryu-firewall/fw.conf. Does the behavior match the configuration file?
    • Stop the Firewall controller and run a simple switch controller. Is there any traffic being blocked now? Don't forget to delete the flows after you stop the controller
    • Feel free to modify the configuration file to allow more traffic.

Return to the main page

Last modified 7 years ago Last modified on 05/08/17 09:05:10

Attachments (2)

Download all attachments as: .zip