[openstack-dev] [nova][neutron] default allow security group

Brian Haley brian.haley at hp.com
Mon Sep 8 14:53:44 UTC 2014


On 09/05/2014 11:27 AM, Monty Taylor wrote:
> Hi!
> 
> I've decided that as I have problems with OpenStack while using it in the
> service of Infra, I'm going to just start spamming the list.
> 
> Please make something like this:
> 
> neutron security-group-create default --allow-every-damn-thing

Does this work?  Sure, it's a rule in the default group and not a group itself,
but it's a one-liner:

$ neutron security-group-rule-create --direction ingress --remote-ip-prefix
0.0.0.0/0 default

> Right now, to make security groups get the hell out of our way because they do
> not provide us any value because we manage our own iptables, it takes adding
> something like 20 rules.
> 
> 15:24:05          clarkb | one each for ingress and egress udp tcp over ipv4
> then ipv6 and finaly icmp

I guess you mean 20 rules because there's services using ~20 different ports,
which sounds about right.  If you really didn't care you could have just opened
all of ICMP, TCP and UDP with three rules.

And isn't egress typically wide-open by default?  You shouldn't need any rules
there.

And I do fall in the "more security" camp - giving someone a publicly-routable
IP address with all ports open is not typically a good idea, I wouldn't want to
hear the complaints from customers on that one...

-Brian



More information about the OpenStack-dev mailing list