[openstack-dev] [Neutron][FWaaS]Firewall Web Services Research Thesis Applicability to the OpenStack Project
Mike Grima
mike.r.grima at gmail.com
Sat May 24 18:20:26 UTC 2014
Mohammad,
My responses are inline:
>Let's start from the question about Deny. There are no Deny actions. By
>default there is no connectivity. If you want to establish that you do it
>with Allow or other actions; otherwise no connectivity. Hence no need to
>have Deny.
This makes sense.
>The policies generally apply to the whole group. The idea is to simplify
>the use of contract and policy rules by applying them to a group of like
>minded :) endpoints.
>So you may reconsider how you group your endpoints into groups so you can
>apply policies to groups of endpoints with similar characteristics/roles.
This makes sense. Group-level policies should be applied to the entire
group. So, am I correct in saying that policies can _only_ be applied to
entire groups, and not individual VM’s within a group? This makes the
assumption that each VM _does not_ have a unique group akin to
users on most Linux systems. For example, you have a VM named
VM1. VM1 is a member of one group, web servers. There is no unique
group named: VM1
The last post seemed to indicate that you can apply policies to specific
VM’s within a group.
Lastly, what is the relationship between group policies and FWaaS?
Thank You,
Mike Grima, RHCE
More information about the OpenStack-dev
mailing list