class SoftLayer::VLANFirewall

The VLANFirewall class represents the firewall that protects all the servers on a VLAN in the SoftLayer Environment. It is also known as a “Dedicated Firewall” in some documentation.

Instances of this class are a bit odd because they actually represent a VLAN (the VLAN protected by the firewall to be specific), and not the physical hardware implementing the firewall itself. (although the device is accessible as the “networkVlanFirewall” property)

As a result, instances of this class correspond to certain instances in the SoftLayer_Network_Vlan service.

Attributes

VLAN_number[R]

The number of the VLAN protected by this firewall.

DEPRECATION WARNING: This attribute is deprecated in favor of #vlan_number and will be removed in the next major release.

vlan_number[R]

The number of the VLAN protected by this firewall.

Public Class Methods

find_firewalls(client = nil) click to toggle source

Collect a list of the firewalls on the account.

This list is obtained by asking the account for all the VLANs it has that also have a networkVlanFirewall component.

# File lib/softlayer/VLANFirewall.rb, line 241
def self.find_firewalls(client = nil)
  softlayer_client = client || Client.default_client
  raise "#{__method__} requires a client but none was given and Client::default_client is not set" if !softlayer_client

  # only VLAN firewalls have a networkVlanFirewall component
  vlan_firewall_filter = SoftLayer::ObjectFilter.new() { |filter|
    filter.accept("networkVlans.networkVlanFirewall").when_it is_not_null
  }

  vlan_firewalls = softlayer_client[:Account].object_mask(vlan_firewall_mask).object_filter(vlan_firewall_filter).getNetworkVlans
  vlan_firewalls.collect { |firewall_data| SoftLayer::VLANFirewall.new(softlayer_client, firewall_data)}
end

Public Instance Methods

cancel!(notes = nil) click to toggle source

Cancel the firewall

This method cancels the firewall and releases its resources. The cancellation is processed immediately! Call this method with careful deliberation!

Notes is a string that describes the reason for the cancellation. If empty or nil, a default string will be added.

# File lib/softlayer/VLANFirewall.rb, line 123
def cancel!(notes = nil)
  user = self.softlayer_client[:Account].object_mask("mask[id,account.id]").getCurrentUser
  notes = "Cancelled by a call to #{__method__} in the softlayer_api gem" if notes == nil || notes == ""

  cancellation_request = {
    'accountId' => user['account']['id'],
    'userId'    => user['id'],
    'items' => [ {
      'billingItemId' => self['networkVlanFirewall']['billingItem']['id'],
      'immediateCancellationFlag' => true
      } ],
    'notes' => notes
  }

  self.softlayer_client[:Billing_Item_Cancellation_Request].createObject(cancellation_request)
end
change_routing_bypass!(routing_symbol) click to toggle source

This method allows you to route traffic around the firewall and directly to the servers it protects. Compare the behavior of this routine with change_rules_bypass!

It is important to note that changing the routing to :route_around_firewall removes ALL the protection offered by the firewall. This routine should be used with extreme discretion.

Note that this routine constructs a transaction. The Routing change may not happen immediately.

The two symbols accepted as arguments by the routine are: :route_through_firewall - Network traffic is sent through the firewall to the servers in the VLAN segment it protects. This is the usual operating mode of the firewall. :route_around_firewall - Network traffic will be sent directly to the servers in the VLAN segment protected by this firewall. This means that the firewall will NOT be protecting those servers.

# File lib/softlayer/VLANFirewall.rb, line 221
def change_routing_bypass!(routing_symbol)
  vlan_firewall_id = self['networkVlanFirewall']['id']

  raise "Could not identify the device for a VLAN firewall" if !vlan_firewall_id

  case routing_symbol
  when :route_through_firewall
    self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(false)
  when :route_around_firewall
    self.softlayer_client[:Network_Vlan_Firewall].object_with_id(vlan_firewall_id).updateRouteBypass(true)
  else
    raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :route_through_firewall and :route_around_firewall"
  end
end
change_rules!(rules_data) click to toggle source

Change the set of rules for the firewall. The rules_data parameter should be an array of hashes where each hash gives the conditions of the rule. The keys of the hashes should be entries from the array returned by SoftLayer::ServerFirewall.default_rules_mask_keys

NOTE! When changing the rules on the firewall, you must pass in a complete set of rules each time. The rules you submit will replace the entire ruleset on the destination firewall.

NOTE! The rules themselves have an “orderValue” property. It is this property, and not the order that the rules are found in the rules_data array, which will determine in which order the firewall applies its rules to incoming traffic.

NOTE! Changes to the rules are not applied immediately on the server side. Instead, they are enqueued by the firewall update service and updated periodically. A typical update will take about one minute to apply, but times may vary depending on the system load and other circumstances.

# File lib/softlayer/VLANFirewall.rb, line 162
def change_rules!(rules_data)
  change_object = {
    "firewallContextAccessControlListId" => rules_ACL_id(),
    "rules" => rules_data
  }

  self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
end
change_rules_bypass!(bypass_symbol) click to toggle source

This method asks the firewall to ignore its rule set and pass all traffic through the firewall. Compare the behavior of this routine with change_routing_bypass!

It is important to note that changing the bypass to :bypass_firewall_rules removes ALL the protection offered by the firewall. This routine should be used with extreme discretion.

Note that this routine queues a rule change and rule changes may take time to process. The change will probably not take effect immediately.

The two symbols accepted as arguments by this routine are: :apply_firewall_rules - The rules of the firewall are applied to traffic. This is the default operating mode of the firewall :bypass_firewall_rules - The rules of the firewall are ignored. In this configuration the firewall provides no protection.

# File lib/softlayer/VLANFirewall.rb, line 187
def change_rules_bypass!(bypass_symbol)
  change_object = {
    "firewallContextAccessControlListId" => rules_ACL_id(),
    "rules" => self.rules
  }

  case bypass_symbol
  when :apply_firewall_rules
    change_object['bypassFlag'] = false
    self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
  when :bypass_firewall_rules
    change_object['bypassFlag'] = true
    self.softlayer_client[:Network_Firewall_Update_Request].createObject(change_object)
  else
    raise ArgumentError, "An invalid parameter was sent to #{__method__}. It accepts :apply_firewall_rules and :bypass_firewall_rules"
  end
end
fqdn() click to toggle source

The fully qualified domain name of the physical device the firewall is implemented by.

# File lib/softlayer/VLANFirewall.rb, line 82
def fqdn
  if self.has_sl_property?('networkVlanFirewall')
    return self['networkVlanFirewall']['fullyQualifiedDomainName']
  else
    return @softlayer_hash
  end
end
fullyQualifiedDomainName() click to toggle source

The fully qualified domain name of the physical device the firewall is implemented by.

DEPRECATION WARNING: This method is deprecated in favor of fqdn and will be removed in the next major release.

# File lib/softlayer/VLANFirewall.rb, line 96
def fullyQualifiedDomainName
  if self.has_sl_property?('networkVlanFirewall')
    return self['networkVlanFirewall']['fullyQualifiedDomainName']
  else
    return @softlayer_hash
  end
end
high_availability?() click to toggle source

Returns true if this is a “high availability” firewall, that is a firewall that exists as one member of a redundant pair.

# File lib/softlayer/VLANFirewall.rb, line 107
def high_availability?
  # note that highAvailabilityFirewallFlag is a boolean in the softlayer hash
  return self.has_sl_property?('highAvailabilityFirewallFlag') && self['highAvailabilityFirewallFlag']
end
primaryRouter() click to toggle source

Returns the name of the primary router the firewall is attached to. This is often a “customer router” in one of the datacenters.

DEPRECATION WARNING: This method is deprecated in favor of #primary_router and will be removed in the next major release.

# File lib/softlayer/VLANFirewall.rb, line 75
def primaryRouter
  return self['primaryRouter']['hostname']
end
primary_router() click to toggle source

Returns the name of the primary router the firewall is attached to. This is often a “customer router” in one of the datacenters.

# File lib/softlayer/VLANFirewall.rb, line 65
def primary_router
  return self['primaryRouter']['hostname']
end
rules(force_update=false) click to toggle source

Retrieve the set of rules applied by this firewall to incoming traffic. The object will retrieve the rules from the network API every time you ask it for the rules.

The code will sort the rules by their “orderValue” which is the order that the firewall applies the rules, however please see the important note in change_rules! concerning the “orderValue” property of the rules.

# File lib/softlayer/VLANFirewall.rb, line 49
sl_dynamic_attr :rules do |firewall_rules|
  firewall_rules.should_update? do
    # firewall rules update every time you ask for them.
    return true
  end

  firewall_rules.to_update do
    acl_id = rules_ACL_id()
    rules_data = self.softlayer_client[:Network_Firewall_AccessControlList].object_with_id(acl_id).object_mask(self.class.default_rules_mask).getRules
    rules_data.sort { |lhs, rhs| lhs['orderValue'] <=> rhs['orderValue'] }
  end
end
service() click to toggle source 
# File lib/softlayer/VLANFirewall.rb, line 258
def service
  # Objects of this class are a bit odd because they actually represent VLANs (the VLAN protected by the firewall)
  # and not the physical hardware implementing the firewall itself.  (although the device is accessible as the
  # "networkVlanFirewall" property)
  self.softlayer_client[:Network_Vlan].object_with_id(self.id)
end
softlayer_properties(object_mask = nil) click to toggle source 
# File lib/softlayer/VLANFirewall.rb, line 265
def softlayer_properties(object_mask = nil)
  service = self.service
  service = service.object_mask(object_mask) if object_mask
  service.object_mask(self.class.vlan_firewall_mask).getObject
end