[openstack-dev] [Neutron] [FWaaS] [sequritygroup] [Development]

Sumit Naiksatam sumitnaiksatam at gmail.com
Mon Jun 16 20:36:37 UTC 2014


Inline...

~Sumit.

On Sun, Jun 15, 2014 at 9:25 AM, Salvatore Orlando <sorlando at nicira.com> wrote:
> Hi Israel,
>
> please find my answers inline.
> I'm not really an expert in this area, but I hope these answers are helpful,
> and, hopefully, correct!
>
> Salvatore
>
>
> On 15 June 2014 14:55, Israel Ziv <israel.ziv at huawei.com> wrote:
>>
>> Hi!
>>
>> Please let me know if I’ve reached the proper group.
>>
>> I am going through neutron’s code and have a few questions.
>>
>>
>>
>> 1.       I understood that
>>
>> a.       ‘securitygroups’ enables intra-subnet “firewall” and is aimed to
>> allow/deny traffic between tenants.
>
> This is kind of correct. However, rather than "intra-subnet" I would say
> that the firewall rules are enforced at the port level - and they're
> obviously not just for allowing or deny traffic among tenants, as they allow
> to express a wide variety of rules.
> Another thing to note is that security group rules' action always is ALLOW -
> and they're enforced on a baseline default DENY ALL policy
>>
>> b.      ‘FWaaS’ enables inter-subnet “firewall” and is aimed to allow/deny
>> traffic within tenant.
>
> This is correct too, but as before I would point out that the real
> difference is that these rules are enforced at the router level. Also the
> nature of the rule is different as the associated actions can be either
> ALLOW or DENY.
>>

Also, the fact the FWaaS rules are applied on the Neutron router is an
artifact of the reference implementation. The FWaaS model itself is
independent of where/how the firewall/rules are realized.

>> c.       Did I understand correctly?
>>
>> 2.       Does a securitygroup rule generation have effect on the perimeter
>> firewall of the cloud?
>
> If by perimeter you mean the 'edge' of cloud, ie: where your router's
> gateway ports are plugged, then I would say no. However, I don't remember
> whether security group rules are enforced on external networks as well; and
> also I'm not sure security groups are the right abstraction in that case.
>
>>
>>
>>
>> Regards
>>
>> Israel Ziv
>>
>>
>> _______________________________________________
>> OpenStack-dev mailing list
>> OpenStack-dev at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



More information about the OpenStack-dev mailing list