Configure DANOS Firewall

Owned by FREEMAN, BRIAN D
May 07, 2020
4 min read



Besides basic routing the DANOS virtual router also has a firewal capability  we can use for demonstrations.





  1. Create a firewall rule to allow UPD traffic on port dp0s4 from the packet geneartor to the traffic sink

  2. Submit the following to the SDNC netconfg mouth previously created (replace with your vfw name, k8 host ip and sdnc nodeport (this is from POSTMAN) :

  3.  PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-security-v1:security/firewall

    add firewall rule payload

    { "vyatta-security-firewall-v1:firewall": { "name": [ { "ruleset-name": "ONAP_DANOS_PGN", "description": "Allow UDP port 8080", "rule": [ { "tagnode": 100, "protocol": "udp", "action": "accept", "destination": { "address": "192.168.20.250", "port": 8080 } } ] } ] } }

    4. Traffic is not affected since we haven't attached the rule to a port

  4. Attach the firewall rule to port dp0s4

    1. PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-interfaces-v1:interfaces/vyatta-interfaces-dataplane-v1:dataplane/dp0s4/firewall


      Attach firewall rule to dp0s4

      { "vyatta-security-firewall-v1:firewall": { "in": [ "ONAP_DANOS_PGN" ] } }

      Traffic should still be routing

  5. Change the policy to drop the UDP traffic

    1. PUT https://{{sdnc_ssl_port}}/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vofwl01fwleccf/yang-ext:mount/vyatta-security-v1:security/firewall

      Drop traffic

      { "vyatta-security-firewall-v1:firewall": { "name": [ { "ruleset-name": "ONAP_DANOS_PGN", "description": "Allow UDP port 8080", "rule": [ { "tagnode": 100, "protocol": "udp", "action": "drop", "destination": { "address": "192.168.20.250", "port": 8080 } } ] } ] } }



    2. Traffic to the traffic sink will go to zero

  6. Reapply the action: allow to see traffic flow again

    1. In the upper left panel you can see the traffic go to zero with the "drop" action and back to normal with the "allow" policy re-applied.