- FWaaS uses iptables to apply firewall policy to all virtual routers within a project, and supports one firewall policy and logical firewall instance per project.
FWaaS operates at the perimeter by filtering traffic at the OpenStack Networking (neutron) router. This distinguishes it from security groups, which operate at the instance level.
FWaaS always adds a default deny all rule at the lowest precedence of each policy. Consequently, a firewall policy with no rules blocks all traffic by default.
The firewall remains in PENDING_CREATE state until an OpenStack Networking router is created, and an interface is attached.
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/8/html/networking_guide/sec-fwaas