防火墙入门

SoftLayer 提供两种共享相同 API 组件的防火墙服务。可通过 SoftLayer_Network_Component_Firewall 服务与单设备防火墙解决方案进行交互,并且可通过 SoftLayer_Network_Firewall_AccessControlList 服务来访问 VLAN 防火墙。

单设备防火墙

列出

SoftLayer_Network_Component_Firewall 对象将连接到其保护的设备。检索用于保护专用服务器的所有防火墙的列表的最佳方法是,使用“firewallServiceComponent”的对象掩码来调用 SoftLayer_Account::getHardware。可以使用同一对象掩码,通过 SoftLayer_Account::getVirtualGuests 来找到用于保护云计算主机的防火墙的列表。

$client = SoftLayer_SoapClient::getClient('SoftLayer_Account', null, $apiUser, $apiKey);
$objectMask = "mask.firewallServiceComponent";
$client->setObjectMask($objectMask);
$domains = $client->getHardware();
print_r($domains);

规则

列出

每个 SoftLayer_Network_Component_Firewall 对象都将其规则存储在“规则”关系属性中。该属性包含
SoftLayer_Network_Component_Firewall_Rule 对象的数组。这些对象定义防火墙规则及其行为。可以通过 SoftLayer_Network_Component_Firewall::getRules 来检索这些规则的列表。

$client = SoftLayer_SoapClient::getClient('SoftLayer_Network_Component_Firewall', 12345, $apiUser, $apiKey);
$rules = $client->getRules();
print_r($rules);

修改

通过将 SoftLayer_Network_Firewall_Update_Request 模板对象传递给 SoftLayer_Network_Firewall_Update_Request::createObject 来修改防火墙的规则集。 根据每个更新请求重写整个规则集。
这意味着必须包含过去未改变的所有规则以及所有修改或新增内容。通过抽取上述的现有规则,然后修改收集的数组,可以轻松完成该操作。
每个 SoftLayer_Network_Component_Firewall_Update_Request_Rule 对象需要:

  • action - 允许或拒绝
  • destinationIpAddress - 目标地址
  • destinationIpSubnetMask - 目标地址子网掩码
  • sourceIpAddress - 源地址
  • sourceIpSubnetMask - 源地址子网掩码
  • protocol - tcp/udp
  • destinationPortRangeStart - 规则生效的第一个端口
  • destinationPortRangeEnd - 规则生效的最后一个端口
  • orderValue - 规则应用顺序(值越小,越早应用)
$firewallId = 123456;
$firewallClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Component_Firewall', $firewallId, $apiUser, $apiKey);
$rules = $firewallClient->getRules();
 
// Adding a rule
$newRule = new stdClass();
$newRule->action = 'permit';
$newRule->destinationIpAddress = '172.16.0.1';
$newRule->destinationIpSubnetMask = '255.255.255.255';
$newRule->destinationPortRangeStart = 1;
$newRule->destinationPortRangeEnd = 25;
$newRule->orderValue = count(rules) + 1;
$newRule->protocol = 'tcp';
$newRule->sourceIpAddress = '192.168.1.1';
$newRule->sourceIpSubnetMask = '255.255.255.255';
$rules[] = $newRule;
 
// Modifying a rule
$ipToAllow = '192.168.1.2';
foreach ($rules as $key => $rule) {
    if ($rule->sourceIpAddress == $ipToAllow) {
        $rules[$key]->action = 'deny';
    }
}
 
// Deleting a rule
$ipToDelete = '192.168.1.3';
foreach ($rules as $key => $rule) {
    if($rule->sourceIpAddress == $ipToDelete) {
        unset($rules[$key]);
    }
}

更新的请求对象需要以下属性:

$updateRequestClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_Update_Request', Null, $apiUser, $apiKey);
$updateRequestTemplate = new stdClass();
$updateRequestTemplate->networkComponentFirewallId = $firewallId;
$updateRequestTemplate->rules = $rules;
$result = $updateRequestClient->createObject($updateRequestTemplate);
print_r($result);

SoftLayer_Network_Firewall_Update_Request::createObject
将返回一个完全填充的 SoftLayer_Network_Firewall_Update_Request 对象,
该对象将进入更新队列。通常会在 60 秒内处理该请求。

VLAN 路由防火墙

VLAN 路由防火墙向整个 SoftLayer_Network_Vlan(而不是特定服务器)提供保护。许多单设备防火墙都会转换为 VLAN 路由防火墙;但是,存在一些细微差异。VLAN 路由防火墙的交互点是 SoftLayer_Network_Firewall_AccessControlList 服务。

每个 VLAN 都有两种类型的 firewallInterface:“内部”和“外部”。
firewallContextAccessControlList 按“进入”或“离开”方向进行组织。SoftLayer 平台当前支持“外部”firewallInterface 和“进入”ACL。

列出

可以使用 firewallInterfaces.firewallContextAccessControlLists 的对象掩码来调用 SoftLayer_Account::getNetworkVlans,以收集所有 VLAN 路由防火墙的列表。

$client = SoftLayer_SoapClient::getClient('SoftLayer_Account', null, $apiUser, $apiKey);
$objectMask = "mask.firewallInterfaces.firewallContextAccessControlLists";
$client->setObjectMask($objectMask);
$vlans = $client->getNetworkVlans();
 
foreach ($vlans as $vlan) {
    if ($vlan->firewallInterfaces) {
        print_r($vlan);
    }
}

规则

列出

每个 SoftLayer_Network_Firewall_AccessControlList 对象都将其规则存储在“规则”关系属性中。该属性包含
SoftLayer_Network_Component_Firewall_Rule 对象的数组。这些对象定义防火墙规则及其行为。可以通过 SoftLayer_Network_Firewall_AccessConrtolList::getRules来检索这些规则的列表。

$vlanFirewalId = 1234;
$client = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_AccessControlList', $vlanFirewalId, $apiUser, $apiKey);
$rules = $client->getRules();
print_r($rules);

修改

通过将 SoftLayer_Network_Firewall_Update_Request 模板对象传递给 SoftLayer_Network_Firewall_Update_Request::createObject 来修改防火墙的规则集。 根据每个更新请求重写整个规则集。
这意味着必须包含过去未改变的所有规则以及所有修改或新增内容。通过抽取上述的现有规则,然后修改收集的数组,可以轻松完成该操作。
每个 SoftLayer_Network_Component_Firewall_Update_Request_Rule 对象需要:

  • action - 允许或拒绝
  • destinationIpAddress - 目标地址
  • destinationIpSubnetMask - 目标地址子网掩码
  • sourceIpAddress - 源地址
  • sourceIpSubnetMask - 源地址子网掩码
  • protocol - tcp/udp
  • destinationPortRangeStart - 规则生效的第一个端口
  • destinationPortRangeEnd - 规则生效的最后一个端口
  • orderValue - 规则应用顺序(值越小,越早应用)
$vlanFirewalId = 123456;
$firewallClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_AccessControlList', $vlanFirewalId, $apiUser, $apiKey);
$rules = $firewallClient->getRules();
 
// Adding a rule
$newRule = new stdClass();
$newRule->action = 'permit';
$newRule->destinationIpAddress = '172.16.0.1';
$newRule->destinationIpSubnetMask = '255.255.255.255';
$newRule->destinationPortRangeStart = 1;
$newRule->destinationPortRangeEnd = 25;
$newRule->orderValue = count(rules) + 1;
$newRule->protocol = 'tcp';
$newRule->sourceIpAddress = '192.168.1.1';
$newRule->sourceIpSubnetMask = '255.255.255.255';
$rules[] = $newRule;
 
// Modifying a rule
$ipToAllow = '192.168.1.2';
foreach ($rules as $key => $rule) {
    if ($rule->sourceIpAddress == $ipToAllow) {
        $rules[$key]->action = 'deny';
    }
}
 
// Deleting a rule
$ipToDelete = '192.168.1.3';
foreach ($rules as $key => $rule) {
    if($rule->sourceIpAddress == $ipToDelete) {
        unset($rules[$key]);
    }
}

更新的请求对象需要以下属性:

$updateRequestClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_Update_Request', Null, $apiUser, $apiKey);
$updateRequestTemplate = new stdClass();
$updateRequestTemplate-> firewallContextAccessControlListId = $vlanFirewalId;
$updateRequestTemplate->rules = $rules;
$result = $updateRequestClient->createObject($updateRequestTemplate);
print_r($result);

SoftLayer_Network_Firewall_Update_Request::createObject
将返回一个完全填充的 SoftLayer_Network_Firewall_Update_Request 对象,
该对象将进入更新队列。通常会在 60 秒内处理该请求。