June 4, 2013

Classes
Tags blog

Getting started with Firewalls

<p>SoftLayer provides two flavors of firewall service that share some API components. Single device firewall solutions a

SoftLayer provides two flavors of firewall service that share some API components. Single device firewall solutions are interacted with through the SoftLayer_Network_Component_Firewall service and VLAN firewalls can be accessed with the SoftLayer_Network_Firewall_AccessControlList service.

Single device firewalls

Listing

As SoftLayer_Network_Component_Firewall objects are attached to the device they are providing protection for. The best way to retrieve a list of all firewalls protecting dedicated servers is a call to SoftLayer_Account::getHardware with an object mask for "firewallServiceComponent". A list of firewalls protecting Cloud Computing Instances can be found with SoftLayer_Account::getVirtualGuests using the same object mask.

$client = SoftLayer_SoapClient::getClient('SoftLayer_Account', null, $apiUser, $apiKey);
$objectMask = "mask.firewallServiceComponent";
$client->setObjectMask($objectMask);
$domains = $client->getHardware();
print_r($domains);

Rules

Listing

Each SoftLayer_Network_Component_Firewall object stores its rules in the "rules" relational property. This property contains an array of SoftLayer_Network_Component_Firewall_Rule objects. These objects define the firewall rule and how it will behave. We can retrieve a list of these rules with SoftLayer_Network_Component_Firewall::getRules.

$client = SoftLayer_SoapClient::getClient('SoftLayer_Network_Component_Firewall', 12345, $apiUser, $apiKey);
$rules = $client->getRules();
print_r($rules);

Modification

A firewall's ruleset is modified by passing a SoftLayer_Network_Firewall_Update_Request template object to SoftLayer_Network_Firewall_Update_Request::createObject. The entire ruleset is rewritten with each update request. This means it is necessary to include all past unchanged rules along with any modifications or additions. This is easily accomplished by pulling in the existing rules as described above then modifying the gathered array.
Each SoftLayer_Network_Component_Firewall_Update_Request_Rule object requires:

  • action - permit or deny
  • destinationIpAddress - destination address
  • destinationIpSubnetMask - subnet mask for destination
  • sourceIpAddress - originating address
  • sourceIpSubnetMask - subnet mask for origin address
  • protocol - tcp/udp
  • destinationPortRangeStart - first port the rule will effect
  • destinationPortRangeEnd - last port the rule will effect
  • orderValue - order in which rules are applied (lower is sooner)
$firewallId = 123456;
$firewallClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Component_Firewall', $firewallId, $apiUser, $apiKey);
$rules = $firewallClient->getRules();
 
// Adding a rule
$newRule = new stdClass();
$newRule->action = 'permit';
$newRule->destinationIpAddress = '172.16.0.1';
$newRule->destinationIpSubnetMask = '255.255.255.255';
$newRule->destinationPortRangeStart = 1;
$newRule->destinationPortRangeEnd = 25;
$newRule->orderValue = count(rules) + 1;
$newRule->protocol = 'tcp';
$newRule->sourceIpAddress = '192.168.1.1';
$newRule->sourceIpSubnetMask = '255.255.255.255';
$rules[] = $newRule;
 
// Modifying a rule
$ipToAllow = '192.168.1.2';
foreach ($rules as $key => $rule) {
    if ($rule->sourceIpAddress == $ipToAllow) {
        $rules[$key]->action = 'deny';
    }
}
 
// Deleting a rule
$ipToDelete = '192.168.1.3';
foreach ($rules as $key => $rule) {
    if($rule->sourceIpAddress == $ipToDelete) {
        unset($rules[$key]);
    }
}

The update request object requires the following properties:

$updateRequestClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_Update_Request', Null, $apiUser, $apiKey);
$updateRequestTemplate = new stdClass();
$updateRequestTemplate->networkComponentFirewallId = $firewallId;
$updateRequestTemplate->rules = $rules;
$result = $updateRequestClient->createObject($updateRequestTemplate);
print_r($result);

SoftLayer_Network_Firewall_Update_Request::createObject will return a fully populated SoftLayer_Network_Firewall_Update_Request object and it will enter the update queue. The request is typically processed within 60 seconds.

VLAN routed firewalls

VLAN routed firewalls provide protection to an entire SoftLayer_Network_Vlan rather than a specific server. Many of the concepts from single device firewalls translate to VLAN routed firewalls; however, there are some small differences. The interaction point for VLAN routed firewalls is the SoftLayer_Network_Firewall_AccessControlList service.

Each VLAN has two types of firewallInterface: 'inside' and 'outisde'. firewallContextAccessControlLists are organized by a direction of 'in' or 'out'. Currently the SoftLayer Platform supports the 'outside' firewallInterfaces and the 'in' ACLs.

Listing

A list of all VLAN routed firewalls can be gathered with a call to SoftLayer_Account::getNetworkVlans with an object mask for firewallInterfaces.firewallContextAccessControlLists.

$client = SoftLayer_SoapClient::getClient('SoftLayer_Account', null, $apiUser, $apiKey);
$objectMask = "mask.firewallInterfaces.firewallContextAccessControlLists";
$client->setObjectMask($objectMask);
$vlans = $client->getNetworkVlans();
 
foreach ($vlans as $vlan) {
    if ($vlan->firewallInterfaces) {
        print_r($vlan);
    }
}

Rules

Listing

Each SoftLayer_Network_Firewall_AccessControlList object stores its rules in the "rules" relational property. This property contains an array of SoftLayer_Network_Component_Firewall_Rule objects. These objects define the firewall rule and how it will behave. We can retrieve a list of these rules with SoftLayer_Network_Firewall_AccessConrtolList::getRules.

$vlanFirewalId = 1234;
$client = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_AccessControlList', $vlanFirewalId, $apiUser, $apiKey);
$rules = $client->getRules();
print_r($rules);

Modification

A firewall's ruleset is modified by passing a SoftLayer_Network_Firewall_Update_Request template object to SoftLayer_Network_Firewall_Update_Request::createObject. The entire ruleset is rewritten with each update request. This means it is necessary to include all past unchanged rules along with any modifications or additions. This is easily accomplished by pulling in the existing rules as described above then modifying the gathered array.
Each SoftLayer_Network_Component_Firewall_Update_Request_Rule object requires:

  • action - permit or deny
  • destinationIpAddress - destination address
  • destinationIpSubnetMask - subnet mask for destination
  • sourceIpAddress - originating address
  • sourceIpSubnetMask - subnet mask for origin address
  • protocol - tcp/udp
  • destinationPortRangeStart - first port the rule will effect
  • destinationPortRangeEnd - last port the rule will effect
  • orderValue - order in which rules are applied (lower is sooner)
$vlanFirewalId = 123456;
$firewallClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_AccessControlList', $vlanFirewalId, $apiUser, $apiKey);
$rules = $firewallClient->getRules();
 
// Adding a rule
$newRule = new stdClass();
$newRule->action = 'permit';
$newRule->destinationIpAddress = '172.16.0.1';
$newRule->destinationIpSubnetMask = '255.255.255.255';
$newRule->destinationPortRangeStart = 1;
$newRule->destinationPortRangeEnd = 25;
$newRule->orderValue = count(rules) + 1;
$newRule->protocol = 'tcp';
$newRule->sourceIpAddress = '192.168.1.1';
$newRule->sourceIpSubnetMask = '255.255.255.255';
$rules[] = $newRule;
 
// Modifying a rule
$ipToAllow = '192.168.1.2';
foreach ($rules as $key => $rule) {
    if ($rule->sourceIpAddress == $ipToAllow) {
        $rules[$key]->action = 'deny';
    }
}
 
// Deleting a rule
$ipToDelete = '192.168.1.3';
foreach ($rules as $key => $rule) {
    if($rule->sourceIpAddress == $ipToDelete) {
        unset($rules[$key]);
    }
}

The update request object requires the following properties:

$updateRequestClient = SoftLayer_SoapClient::getClient('SoftLayer_Network_Firewall_Update_Request', Null, $apiUser, $apiKey);
$updateRequestTemplate = new stdClass();
$updateRequestTemplate-> firewallContextAccessControlListId = $vlanFirewalId;
$updateRequestTemplate->rules = $rules;
$result = $updateRequestClient->createObject($updateRequestTemplate);
print_r($result);

SoftLayer_Network_Firewall_Update_Request::createObject will return a fully populated SoftLayer_Network_Firewall_Update_Request object and it will enter the update queue. The request is typically processed within 60 seconds.