Exercises firewall: Difference between revisions

From NET Wiki
Jump to navigation Jump to search
(Created page with "= Exercise: Firewall = * Topology is the same as that used for loadbalancing * (40P) Simple firewall ** We will be using the load-balancer experiment as basis ** put blocker.py ...")
 
 
(11 intermediate revisions by the same user not shown)
Line 2: Line 2:
* Topology is the same as that used for loadbalancing
* Topology is the same as that used for loadbalancing


* (40P) Simple firewall
== (40P) Simple firewall ==
** We will be using the load-balancer experiment as basis
** We will be using the load-balancer experiment as basis
** put blocker.py (https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/blocker.py) in pox/ext/blocker.py
** put blocker.py (https://projects.gwdg.de/projects/mayutan-public/repository/raw/courses/SDN/2017_2018_WS/exercises/ex3/blocker.py) in pox/ext/blocker.py
** $ sudo mn --topo single,6 --mac --arp --controller remote
  $ sudo mn --topo single,6 --mac --arp --controller remote
** $ ./pox.py forwarding.l2_learning blocker py
  $ ./pox/pox.py forwarding.l2_learning blocker py (Note that there is a space between blocker and py to enable interactive mode)
*** Note that there is a space between blocker and py to enable interactive mode
*** or  
*** or $ ./pox.py forwarding.l2_learning blocker.py --ports=80,8888,8000
  $ ./pox/pox.py forwarding.l2_learning blocker --ports=80,8888,8000 (not recommended)
 
** start Webserver in h1
** start Webserver in h1
*** h1$ python -m SimpleHTTPServer 80
  h1$ python -m SimpleHTTPServer 80
** Try to perform curl or wget from h2 to h1
** Try to perform curl or wget from h2 to h1
*** h2$ curl 10.0.0.1
  h2$ curl 10.0.0.1
** Then block port 80 in pox controller
** Then block port 80 in pox controller
*** pox> block(80)
  pox> block(80)
** Now, again try the following and report what happens
** Now, again try the following and report what happens
*** h2$ curl 10.0.0.1
  h2$ curl 10.0.0.1


* (60P) Advanced Firewall ( I will give you hints)
== (60P) Advanced Firewall ==
** Topology [https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/1.firewall-fig.pdf]
** Take a look here for commands, examples on how to create match, action [http://openflow.stanford.edu/display/ONL/POX+Wiki/]
** Topology [https://projects.gwdg.de/projects/mayutan-public/repository/raw/courses/SDN/2017_2018_WS/exercises/ex3/1.firewall-fig.pdf]
** Aim: Implement a layer 2 firewall that runs alongside the MAC learning module on the POX OpenFlow Controller. Your firewall should be agnostic to the underlying topology. Take MAC pair list as input and install it on the switches in the network
** Aim: Implement a layer 2 firewall that runs alongside the MAC learning module on the POX OpenFlow Controller. Your firewall should be agnostic to the underlying topology. Take MAC pair list as input and install it on the switches in the network
** Note that MAC learning can be done in conjunction with firewall. Therefore you might have to assign  priority to each application.
** Note that MAC learning can be done in conjunction with firewall. Therefore you might have to assign  priority to each application.
** Copy firewall.py from [https://dl.dropboxusercontent.com/u/1652374/SDN_course_WS2015-2016/Exercises/ex3/firewall.py] into pox/pox/misc folder
** Copy firewall.py from [https://projects.gwdg.de/projects/mayutan-public/repository/raw/courses/SDN/2017_2018_WS/exercises/ex3/firewall.py] into pox/pox/misc folder
** Start editing firewall.py
** Start editing firewall.py (Note that you can enter the MAC ids directly, no need to read from a .csv file as stated in the same code
*** Write code to block h1 to h2 (Mac IDs: 00:00:00:00:00:01, 00:00:00:00:00:02)
*** Write code to block h1 to h2 (Mac IDs: 00:00:00:00:00:01, 00:00:00:00:00:02)
** tip
*** to send the msg to switch, use event.connection.send
*** msg type is of.ofp_flow_mod()
** Do the following to quickly test code
** Do the following to quickly test code
*** $ ./pox.py --verbose forwarding.l2_learning misc.firewall
  $ ./pox/pox.py --verbose forwarding.l2_learning misc.firewall
*** $ sudo mn --topo single,3 --controller remote --mac
  $ sudo mn --topo single,3 --controller remote --mac
*** $ dpctl dump-flows tcp:127.0.0.1:6634
  $ dpctl dump-flows tcp:127.0.0.1:6634

Latest revision as of 13:14, 12 October 2017

Exercise: Firewall

  • Topology is the same as that used for loadbalancing

(40P) Simple firewall

  $ sudo mn --topo single,6 --mac --arp --controller remote
  $ ./pox/pox.py forwarding.l2_learning blocker py (Note that there is a space between blocker and py to enable interactive mode)
      • or
  $ ./pox/pox.py forwarding.l2_learning blocker --ports=80,8888,8000 (not recommended)
    • start Webserver in h1
  h1$ python -m SimpleHTTPServer 80
    • Try to perform curl or wget from h2 to h1
  h2$ curl 10.0.0.1
    • Then block port 80 in pox controller
  pox> block(80)
    • Now, again try the following and report what happens
  h2$ curl 10.0.0.1

(60P) Advanced Firewall

    • Take a look here for commands, examples on how to create match, action [1]
    • Topology [2]
    • Aim: Implement a layer 2 firewall that runs alongside the MAC learning module on the POX OpenFlow Controller. Your firewall should be agnostic to the underlying topology. Take MAC pair list as input and install it on the switches in the network
    • Note that MAC learning can be done in conjunction with firewall. Therefore you might have to assign priority to each application.
    • Copy firewall.py from [3] into pox/pox/misc folder
    • Start editing firewall.py (Note that you can enter the MAC ids directly, no need to read from a .csv file as stated in the same code
      • Write code to block h1 to h2 (Mac IDs: 00:00:00:00:00:01, 00:00:00:00:00:02)
    • tip
      • to send the msg to switch, use event.connection.send
      • msg type is of.ofp_flow_mod()
    • Do the following to quickly test code
  $ ./pox/pox.py --verbose forwarding.l2_learning misc.firewall
  $ sudo mn --topo single,3 --controller remote --mac
  $ dpctl dump-flows tcp:127.0.0.1:6634