[openstack-dev] [Neutron] FWaaS IceHouse summit prep and IRC meeting

Yi Sun beyounn at gmail.com
Wed Oct 30 06:24:43 UTC 2013 

I think the support of the subnet should be part of address object or address book object. We should not eliminate the possibility to run firewall as an add-on service on top of a virtual router. As matter fact, there are many VM based firewall providing certain level of routing service anyway. And such a firewall should be able to use the router interfaces to construct the zone concept. With both address object and zone, we should be able to support the most of requirements. 

Yi 


On Oct 29, 2013, at 10:59 PM, Sumit Naiksatam <sumitnaiksatam at gmail.com> wrote:

> I believe people would like to define the zone based on the router port (corresponding to that router's interface). The zone definition at port-level granularity allows one to do that.
> 
> I think your other question is answered as well (firewall will be supported on particular routers).
> 
> Thanks,
> ~Sumit.
> 
> 
> On Mon, Oct 28, 2013 at 7:12 PM, <fank at vmware.com> wrote:
> My mainly concern is using neutron port for zones may cause confusion/misconfig while you can have two ports connected to same network/subnet in different zone. Using network, or subnet (in the form of network/subnet uuid), on the other hand, is more general and can still be mapped to any interface that has port in those network/subnet.
> 
> Also, which "ports" we're talking about here? Router's port (but a Firewall doesn't necessary associate with a router in current model)? Firewall's ports (does Firewall even have ports now? In addition, this means we're not able to create a rule with zones before a Firewall is created)? Definitely not VM's port....
> 
> Thanks,
> 
> -Kaiwei
> 
> 
> 
> From: "Rajesh Mohan" <rajesh.mlists at gmail.com>
> To: "OpenStack Development Mailing List" <openstack-dev at lists.openstack.org>
> Sent: Thursday, October 24, 2013 2:48:39 PM
> Subject: Re: [openstack-dev] [Neutron] FWaaS IceHouse summit prep and IRC        meeting
> 
> This is good discussion.
> 
> +1 for using Neutron ports for defining zones. I see Kaiwei's point but for DELL, neutron ports makes more sense.
> 
> I am not sure if I completely understood the bump-in-the-wire/zone discussion. DELL security appliance allows using different zones with bump-in-the-wire. If the firewall is inserted in bump-in-the-wire mode between router and LAN hosts, then it does makes sense to apply different zones on ports connected to LAN and Router. The there are cases where the end-users apply same zones on both sides but this is a decision we should leave to end customers. We should allow configuring zones in bump-in-the-wire mode as well.
> 
> 
> 
> 
> 
> On Wed, Oct 23, 2013 at 12:08 PM, Sumit Naiksatam <sumitnaiksatam at gmail.com> wrote:
> Log from today's meeting:
> http://eavesdrop.openstack.org/meetings/networking_fwaas/2013/networking_fwaas.2013-10-23-18.02.log.html
> 
> 
> Action items for some of the folks included.
> 
> Please join us for the meeting next week.
> 
> Thanks,
> ~Sumit.
> 
> On Tue, Oct 22, 2013 at 2:00 PM, Sumit Naiksatam <sumitnaiksatam at gmail.com> wrote:
> Reminder - we will have the Neutron FWaaS IRC meeting tomorrow Wednesday 18:00 UTC (11 AM PDT).
> 
> Agenda:
> * Tempest tests
> * Definition and use of zones
> * Address Objects
> * Counts API
> * Service Objects
> * Integration with service type framework
> * Open discussion - any other topics you would like to bring up for discussion during the summit.
> 
> https://wiki.openstack.org/wiki/Meetings/FWaaS
> 
> Thanks,
> ~Sumit.
> 
> 
> On Sun, Oct 13, 2013 at 1:56 PM, Sumit Naiksatam <sumitnaiksatam at gmail.com> wrote:
> Hi All,
> 
> For the next of phase of FWaaS development we will be considering a number of features. I am proposing an IRC meeting on Oct 16th Wednesday 18:00 UTC (11 AM PDT) to discuss this.
> 
> The etherpad for the summit session proposal is here:
> https://etherpad.openstack.org/p/icehouse-neutron-fwaas
> 
> and has a high level list of features under consideration.
> 
> Thanks,
> ~Sumit.
> 
>  
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131029/a83ff424/attachment.html>

More information about the OpenStack-dev mailing list