<div dir="ltr">Hi Israel,<div><br></div><div>please find my answers inline.</div><div>I'm not really an expert in this area, but I hope these answers are helpful, and, hopefully, correct!</div><div><br></div><div>Salvatore<br>
<div class="gmail_extra"><br><br><div class="gmail_quote">On 15 June 2014 14:55, Israel Ziv <span dir="ltr"><<a href="mailto:israel.ziv@huawei.com" target="_blank">israel.ziv@huawei.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal">Hi!<u></u><u></u></p>
<p class="MsoNormal">Please let me know if I’ve reached the proper group. <u></u><u></u></p>
<p class="MsoNormal">I am going through neutron’s code and have a few questions.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p><u></u><span>1.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u><span dir="LTR"></span>I understood that<u></u><u></u></p>
<p style="margin-left:1.0in">
<u></u><span>a.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u><span dir="LTR"></span>‘securitygroups’ enables intra-subnet “firewall” and is aimed to allow/deny traffic between tenants.</p></div></div></blockquote><div>This is kind of correct. However, rather than "intra-subnet" I would say that the firewall rules are enforced at the port level - and they're obviously not just for allowing or deny traffic among tenants, as they allow to express a wide variety of rules.</div>
<div>Another thing to note is that security group rules' action always is ALLOW - and they're enforced on a baseline default DENY ALL policy</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple"><div><p style="margin-left:1.0in"><u></u><u></u></p>
<p style="margin-left:1.0in">
<u></u><span>b.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u><span dir="LTR"></span>‘FWaaS’ enables inter-subnet “firewall” and is aimed to allow/deny traffic within tenant.</p></div></div></blockquote><div>This is correct too, but as before I would point out that the real difference is that these rules are enforced at the router level. Also the nature of the rule is different as the associated actions can be either ALLOW or DENY.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p style="margin-left:1.0in"><u></u><u></u></p>
<p style="margin-left:1.0in">
<u></u><span>c.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u><span dir="LTR"></span>Did I understand correctly? <u></u><u></u></p>
<p><u></u><span>2.<span style="font:7.0pt "Times New Roman"">
</span></span><u></u><span dir="LTR"></span>Does a securitygroup rule generation have effect on the perimeter firewall of the cloud?<u></u><u></u></p>
<p class="MsoNormal"><u></u></p></div></div></blockquote><div>If by perimeter you mean the 'edge' of cloud, ie: where your router's gateway ports are plugged, then I would say no. However, I don't remember whether security group rules are enforced on external networks as well; and also I'm not sure security groups are the right abstraction in that case.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p class="MsoNormal"> <u></u></p>
<p class="MsoNormal">Regards<span class="HOEnZb"><font color="#888888"><u></u><u></u></font></span></p><span class="HOEnZb"><font color="#888888">
<p class="MsoNormal">Israel Ziv<u></u><u></u></p>
</font></span></div>
</div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div></div>