openstack team mailing list archive

[Aaron Rosen <arosen@xxxxxxxxxx>]

Hi Rami,


On Tue, Jun 18, 2013 at 11:36 PM, Rami Vaknin <rvaknin@xxxxxxxxxx> wrote:

> Hi,
>
> I read the security groups documentation from the admin guide, I have few
> things that I'm not sure I fully understand, any clarification would be
> appreciated:
>
>
> i. http://docs.openstack.org/**trunk/openstack-network/admin/**
> content/securitygroups.html<http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html>
>
> "If a security group is not specified the port will be associated with a
> 'default' security group. By default this group will drop all ingress
> traffic and allow all egress. Rules can be added to this group in order to
> change the behaviour"
>
> There is a small typo here: This should also add and allow traffic from
members of the default group.

The default behaviour is to allow all egress traffic, how do I make
> constraints on this traffic? it seems to me that the rules are kind of
> white list, how for instance can I disallow egress tcp traffic?


Correct, security groups are a white lists of what's allowed. The only way
you could disallow egress tcp traffic would be if you explicitly removed
all the egress rules and only added rules for traffic that you wanted
through. Stay tuned for the FWaaS stuff that will allow you to specifically
disallow all egress traffic rather than white list.


>
>
-----------
>
> ii. http://docs.openstack.org/**trunk/openstack-network/admin/**
> content/securitygroups.html<http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroups.html>
>
> "When a port is created in OpenStack Networking it is associated with a
> security group. If a security group is not specified the port will be
> associated with a 'default' security group"
>
> I'm adding a rule without denoting the security group and I get "quantum
> security-group-rule-create: error: too few arguments", when I add "default"
> to the exact same command - it works, is this a bug or am I missing
> something?
>
>
You need to specify the security group that you want the rule to be a part
of otherwise it doesn't know which group to put our rule in.

----------
>
> iii. http://docs.openstack.org/**trunk/openstack-network/admin/**
> content/securitygroup_api_**abstractions.html<http://docs.openstack.org/trunk/openstack-network/admin/content/securitygroup_api_abstractions.html>
>
> I see that there are default values for the security group attributes,
> however, it's hard to derive what these default values means, for instance,
> "remote_ip_prefix" is the white list of the traffic source ip(s), what if I
> add a rule without denoting this "remote_ip_prefix" - does it mean that the
> traffic is allowed from any source ip(s)?
>
> Correct, if a value is not specified it is wild carded.  For example, if
one does: quantum security-group-rule-create --protocol tcp --ethertype
IPv4 default; that would allow all tcp traffic (on all ports).


-- 
>
> Thanks,
>
> Rami Vaknin.
>

Thanks,

Aaron

>
>
> ______________________________**_________________
> Mailing list: https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> Post to     : openstack@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~**openstack<https://launchpad.net/~openstack>
> More help   : https://help.launchpad.net/**ListHelp<https://help.launchpad.net/ListHelp>
>