Version 28 (modified by, 7 years ago) (diff)


OpenFlow Firewall


This exercise is based on as assignment by Sonia Famy, Ethan Blanton and Sriharsha Gangam of Purdue University.


In this tutorial you will learn how to build a Firewall for a network using OpenFlow. We will use the following network topology for this experiment. You will also learn how to take advantage of kernel L3 routing while using OVS . firewall topology


For this tutorial you need :


All the tools will already be installed at your nodes. For your reference we are going to use a Ryu controller.

Where to get help:

For any questions or problem with the tutorial please email


If you have already reserved the topology from a previous tutorial you can move to Execute.

1. Verify your Environment Setup:

This exercise assumes you have already setup your account at the GENI Portal. In particular ensure that:
  1. You can login to the GENI Portal
  2. You are a member of a GENI Project (there is at least one project listed under the ''Projects'' tab)
  3. You have setup your ssh keys (there is at least one key listed under the ''Profile->SSH Keys'' tab)

2. Setup the Topology:

  1. Login to the GENI Portal
  2. Reserve:
  3. Reserve:
    1. the topology from an InstaGENI rack using the OpenFlow OVS all XEN RSpec (In Portal: "OpenFlow OVS all XEN"; URL:
    2. at a different InstaGENI rack reserve a XEN OpenFlow Controller RSpec (In Portal: "XEN OpenFlow Controller"; URL:


3.1a Configure OVS

  1. Write down the interface names that correspond to the connections to your hosts (use ifconfig). The correspondence is:
    • h1_if: Interface with IP to host1 - ethX
    • h2_if: Interface with IP to host2 - ethY
    • h3_if: Interface with IP to host3 - ethZ
  2. In the OVS node run:
    wget ; chmod +x
    sudo ./ <h1_if> <h2_if> <h3_if> <controller_ip>

The controller_ip is the public IP of your controller node, look at the end for a tip on how to get the IP of a node.

  1. Look around to see what the script did:
      sudo ovs-vsctl show

3.1b Configure hosts

The hosts in your topology are all in the same subnet, We will move host3 to a different subnet:

  1. host3: Assign to host3 and add route to
     sudo ifconfig eth1
      sudo route add -net netmask gw
  1. host1, host2: Setup routes at host1 and host1 to subnet:
     sudo route add -net netmask gw

3.2 Run your firewall

  1. Run a simple learning switch controller:
    cd /tmp/pox; ./ --verbose forwarding.l2_learning
  2. Verify simple connectivity by logging into host1 ping host2
    Notice that there is still no connectivity between host1, host2 and host3 because the rules to send packets between networks to the kernel IP router are not there. Our Firewall controller will take care of this.
  3. Stop your controller by Ctrl-c and remove all your flows from your ovs switch:
    sudo ovs-ofctl del-flows fw
  4. Make your switch into a firewall by downloading and running the appropriate Ryu controller at the controller node:
    cd /tmp/ryu
    tar xvfz ryu-firewall.tar.gz
    cd ryu-firewall/
  5. Log into host3 and run a nc server:
    nc -l 5001
  6. Log into host1 and run nc clients:
    nc 5001
  7. Type some text in host1 and it should appear in host3 and vise versa.
  8. In the terminal for controller you should see messages about the flow being passed or not:
    Extracted rule {'sport': '39515', 'dport': '5002', 'sip': '', 'dip': ''}
    Allow Connection rule {'dport': '5002', 'dip': '', 'sip': '', 'sport': 'any'}
  9. CTRL-C to kill nc in each terminal.
  10. Run a nc server on port 5002, then 5003. What if you start clients at host2? Or try and send traffic between host1 and host2?
    • Compare the observed behavior to the contents of ryu-firewall/fw.conf. Does the behavior match the configuration file?
    • Stop the Firewall controller and run a simple switch controller. Is there any traffic being blocked now? Don't forget to delete the flows after you stop the controller
    • Feel free to modify the configuration file to allow more traffic.

Make sure to delete the bridges especially if you are using the same topology for another tutorial.

  sudo ovs-vsctl del-br fw


4. Cleanup

After you are done with the exercise and you have captured everything requested for the writeup, you should release your resources so that other experimenters can use them. In order to cleanup your slice :
  1. In the Portal, press the Delete button in the bottom of your canvas
  2. Select Delete at used managers and confirm your selection.
Wait and after a few moments all the resources will have been released and you will have an empty canvas again. Notice that your slice is still there. There is no way to delete a slice, it will be removed automatically after its expiration date, but remember that a slice is just an empty container so it doesn't take up any resources.


  • Remember that you can use “ifconfig” to determine which Ethernet interface (e.g., eth0) is bound to what IP address at each of the nodes.
  • In order to enable IP forwarding of packets on a node you have to execute the following command:
    sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'